概述目标:通过生命周期规则、版本控制与服务器端加密(SSE-S3/SSE-KMS)实现成本优化与数据合规。适用:日志归档、备份文件、用户上传资源的长期保存与分层存储。核心与实战开启版本控制:aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled
生命周期配置(30天过期临时文件;90天转存Glacier;删除过期的多版本):aws s3api put-bucket-lifecycle-configuration --bucket my-bucket --lifecycle-configuration '{
"Rules": [
{
"ID": "tmp-expire",
"Filter": {"Prefix": "tmp/"},
"Status": "Enabled",
"Expiration": {"Days": 30}
},
{
"ID": "archive-glacier",
"Filter": {"Prefix": "logs/"},
"Status": "Enabled",
"Transitions": [{"Days": 90, "StorageClass": "GLACIER"}]
},
{
"ID": "noncurrent-clean",
"Status": "Enabled",
"NoncurrentVersionExpiration": {"NoncurrentDays": 60}
}
]
}'
服务器端加密策略:aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
}]
}'
强制TLS与禁止公有读的Bucket策略:aws s3api put-bucket-policy --bucket my-bucket --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {"Bool": {"aws:SecureTransport": "false"}}
},
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {"StringEquals": {"s3:ExistingObjectTag/public": "true"}}
}
]
}'
示例单对象加密与KMS密钥指定:aws s3 cp report.pdf s3://my-bucket/reports/ --sse aws:kms --sse-kms-key-id arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
取回Glacier归档(通过S3对象恢复):aws s3api restore-object --bucket my-bucket --key logs/2025/11/26/app.log --restore-request '{"Days": 2, "GlacierJobParameters": {"Tier": "Standard"}}'
验证与监控校验生命周期与加密配置:aws s3api get-bucket-lifecycle-configuration --bucket my-bucket
aws s3api get-bucket-encryption --bucket my-bucket
访问控制检查(阻止匿名与HTTP):aws s3api get-bucket-policy --bucket my-bucket
aws s3api get-public-access-block --bucket my-bucket
CloudTrail与KMS审计密钥使用与对象操作,保证合规留痕。常见误区忽视版本控制导致误删除不可恢复;开启版本控制并配置非当前版本过期策略。将所有对象立即转Glacier导致频繁恢复成本高;根据访问热度分层与合理TTL。未强制SSE-KMS与TLS导致明文或不安全传输风险;应在Bucket级别强制。结语通过S3生命周期与加密策略可实现安全合规与成本控制,并通过CLI与审计日志进行验证与持续治理。
发表评论 取消回复