时间戳

首页 > 解决方案 > 拒绝访问除特定 lambda 之外的 S3 存储桶

amazon-web-services - 拒绝访问除特定 lambda 之外的 S3 存储桶

问题描述

我正在尝试添加以下存储桶策略,该策略将拒绝对除我的 AWS lambda 之外的任何(获取、放置、删除)操作的存储桶的访问。你能帮忙解释一下为什么这不起作用

{
    "Version": "2012-10-17",
    "Id": "Policy#####",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::#####-s3-file-upload/*"
            ],
            "Condition": {
                "ArnNotEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:5######1:function:temp_read_s3"
                }
            }
        }
    ]
}

标签: amazon-web-servicesamazon-s3aws-lambdaaws-sdk

解决方案

lambda 的解决方案是添加一个假定的角色。通过一些挖掘和故障排除,我意识到 Lambda 函数承担了您提供的角色,并且该承担的角色还必须添加到 S3 存储桶策略中,如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "2", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:iam::55account_id111:role/iam_policy_role", "arn:aws:sts::55account_id111:assumed-role/#####_lambda_role/lambda_function" ] }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ] "Resource": [ "arn:aws:s3:::######-bucketName/*", "arn:aws:s3:::######-bucketName" ] } ] }

推荐阅读