时间戳

首页 > 解决方案 > IAM 政策未授予访问点的访问权限

amazon-s3 - IAM 政策未授予访问点的访问权限

问题描述

有了这个政策:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:ListStorageLensConfigurations",
            "s3:ListAccessPointsForObjectLambda",
            "s3:GetAccessPoint",
            "s3:PutAccountPublicAccessBlock",
            "s3:GetAccountPublicAccessBlock",
            "s3:ListAllMyBuckets",
            "s3:ListAccessPoints",
            "s3:ListJobs",
            "s3:PutStorageLensConfiguration",
            "s3:CreateJob"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }
]

}

我被允许访问特定的 s3 访问点。但是,当我尝试使用仅向特定访问点提供 s3:* 操作的更具体的访问时:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:ListStorageLensConfigurations",
            "s3:ListAccessPointsForObjectLambda",
            "s3:GetAccessPoint",
            "s3:PutAccountPublicAccessBlock",
            "s3:GetAccountPublicAccessBlock",
            "s3:ListAllMyBuckets",
            "s3:ListAccessPoints",
            "s3:ListJobs",
            "s3:PutStorageLensConfiguration",
            "s3:CreateJob"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:eu-west-1:598276570227:accesspoint/accesspointname"
    }
]

}

这不起作用,具有此角色的 EC2 无法访问 s3 访问点(仅使用 AWS CLI 复制文件)

首先为什么会这样?根据我的估计,该角色仍然应该可以访问该接入点上的所有操作(这在某种程度上肯定是错误的!)。

其次,我试图使 s3 存储桶只能从某个 IAM 角色访问。我尝试从接入点本身的访问策略中设置它。这有一个相反的问题,它太宽松了,一切仍然可以访问它。这样做的正确方法是什么 - 将 IAM 策略放在访问点上以限制对 IAM 角色的访问或创建一个有权访问此 s3 访问点的 IAM 角色?

标签: amazon-s3amazon-iam

解决方案

我通过使用这个来完成这个工作:]

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:ListStorageLensConfigurations",
            "s3:ListAccessPointsForObjectLambda",
            "s3:GetAccessPoint",
            "s3:PutAccountPublicAccessBlock",
            "s3:GetAccountPublicAccessBlock",
            "s3:ListAllMyBuckets",
            "s3:ListAccessPoints",
            "s3:ListJobs",
            "s3:PutStorageLensConfiguration",
            "s3:CreateJob"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "s3:DataAccessPointArn": "arn:aws:s3:eu-west-1:598276570227:accesspoint/accesspointname"
            }
        }
    }
]

}

推荐阅读