要求服务器上的加密以上传 Amazon S3 存储桶对象 - 适用于 Ruby 的 AWS 开发工具包
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

要求服务器上的加密以上传 Amazon S3 存储桶对象

以下代码示例拒绝将没有服务器端 AWS KMS 加密的对象上传到 Amazon S3 存储桶。

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX - License - Identifier: Apache - 2.0 require 'aws-sdk-s3' # Denies uploads of objects without server-side AWS KMS encryption to # an Amazon S3 bucket. # # Prerequisites: # # - The Amazon S3 bucket to deny uploading objects without # server-side AWS KMS encryption. # # @param s3_client [Aws::S3::Client] An initialized Amazon S3 client. # @param bucket_name [String] The bucket's name. # @return [Boolean] true if a policy was added to the bucket to # deny uploading objects without server-side AWS KMS encryption; # otherwise, false. # @example # if deny_uploads_without_server_side_aws_kms_encryption?( # Aws::S3::Client.new(region: 'us-east-1'), # 'doc-example-bucket' # ) # puts 'Policy added.' # else # puts 'Policy not added.' # end def deny_uploads_without_server_side_aws_kms_encryption?(s3_client, bucket_name) policy = { 'Version': '2012-10-17', 'Id': 'PutObjPolicy', 'Statement': [ { 'Sid': 'DenyIncorrectEncryptionHeader', 'Effect': 'Deny', 'Principal': '*', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::' + bucket_name + '/*', 'Condition': { 'StringNotEquals': { 's3:x-amz-server-side-encryption': 'aws:kms' } } }, { 'Sid': 'DenyUnEncryptedObjectUploads', 'Effect': 'Deny', 'Principal': '*', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::' + bucket_name + '/*', 'Condition': { 'Null': { 's3:x-amz-server-side-encryption': 'true' } } } ] }.to_json s3_client.put_bucket_policy( bucket: bucket_name, policy: policy ) return true rescue StandardError => e puts "Error adding policy: #{e.message}" return false end # Full example call: def run_me if deny_uploads_without_server_side_aws_kms_encryption?( Aws::S3::Client.new(region: 'us-east-1'), 'doc-example-bucket' ) puts 'Policy added.' else puts 'Policy not added.' end end run_me if $PROGRAM_NAME == __FILE__