amazon-web-services - AWS 访问策略评估不允许放置存储桶策略
问题描述
我将以下策略附加到 IAM 用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:PutObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::xyz123-mycloud-dump",
"arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}
现在,使用附加了上述策略的 IAM 用户的访问凭证,我正在尝试运行以下命令:
s3api put-bucket-policy --bucket xyz123-mycloud-dump --policy file://policy.json
文件policy.json的内容是:
{
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:aws:iam::<the_account_number_to_which_the_user_belongs>:user/<the_IAM_user_name>",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*", "arn:aws:s3:::xyz123-mycloud-dump"]
}
]
}
我得到一个
调用 PutBucketPolicy 操作时发生错误 (AccessDenied):Access Denied
现在我试图理解为什么?
用户的策略声明允许PutBucketPolicy
对资源:
xyz123-mycloud-dump,
xyz123-mycloud-dump/SAMPLE/
这就是我在上面的政策中尝试做的事情。那为什么拒绝访问呢?
解决方案
从这里:
要解决拒绝访问错误,请检查以下内容:
- 您的 IAM 身份拥有 s3:GetBucketPolicy 和 s3:PutBucketPolicy 的权限。
- 存储桶策略不会拒绝您
对 s3:GetBucketPolicy 或 s3:PutBucketPolicy 的 IAM 身份权限。- 启用 Amazon S3 阻止公共访问后,您对存储桶策略的更改不会授予公共访问权限。
- AWS Organizations 服务控制策略允许访问 Amazon S3。
- 如果存储桶策略拒绝所有人访问 s3:GetBucketPolicy、s3:PutBucketPolicy 或所有 Amazon S3 操作 (s3:*),则删除存储桶策略。
检查您是否有您不知道的活动组织级别 SCP,或者是否启用了阻止公共访问。
推荐阅读
- c++ - DXRSDK_v0.09.01 无法在 Visual Studio 2017 上运行
- php - 想要获取数组值
- javascript - D3 v4 重新渲染嵌套对象,`enter()` 和 `exit()` 出现问题
- javascript - Vuejs:event_id 未定义
- codesniffer - 如何配置 PHP CodeSniffer 以允许具有任何缩进的数组?
- sql-server - 根据实际值检查表格内容
- javascript - 单击按钮时,如何在发送我的 ajax 之前调用我的验证函数?
- python - Python - 如何使用 MIMEText 更改字体
- java - LocalDate(反)序列化适用于 JAX-RS 服务器,但不适用于 JAX-RX 客户端
- java - 为 _deploy.jar java_binary 提供了依赖项