时间戳

首页 > 解决方案 > 将 AWS S3 存储桶访问限制为单个角色

amazon-web-services - 将 AWS S3 存储桶访问限制为单个角色

问题描述

我正在尝试将对 S3 存储桶的访问限制为单个 EC2 角色。我已将以下存储桶策略附加到存储桶,并且该存储桶已关闭公共访问。但是,当应用该策略时,我仍然可以在没有附加角色的情况下使用 curl 从实例访问存储桶。谁能让我知道我错过了什么?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucketname",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROQQQCCCZZDDVVQQHHCC:*",
                        "123456789012"
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROQQQCCCZZDDVVQQHHCC:*",
                        "123456789012"
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROQQQCCCZZDDVVQQHHCC:*",
                        "123456789012"
                    ]
                }
            }
        }
    ]
}

标签: amazon-web-servicesamazon-s3

解决方案

我相信以下 S3 策略应该可以完成这项工作。请记住将角色 arn 替换为我认为它附加到您的 EC2 实例的正确角色。此外,请确保您的 ec2 角色具有正确的策略来执行列表、获取、放置、删除操作。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "ExplicitDenyAllActions",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucketname/*",
            "arn:aws:s3:::bucketname"
        ]
    },
    {
        "Sid": "AllowListForIAMRole",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::111111111111:role/ROLENAME"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucketname"
    },
    {
        "Sid": "AllowDeleteGetPutForIAMRole",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::111111111111:role/ROLENAME"
        },
        "Action": [
            "s3:Delete*",
            "s3:Get*",
            "s3:Put*"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname/*",
            "arn:aws:s3:::bucketname"
        ]
    },
    {
        "Sid": "AllowAllActionForUser",
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::111111111111:user/USERNAME"
          ]
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucketname/*",
            "arn:aws:s3:::bucketname"
        ]
    }
]

}

有用的文档,您可以在其中找到更多信息 ->有关 s3 策略的 AWS 文档

推荐阅读