AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?

时间:2016-03-02 15:39:02

标签: amazon-web-services amazon-s3 aws-lambda

我正在与我的IT团队一起限制我的用户帐户(在root帐户下),以便它无法访问我不想访问的S3存储桶。启用AWSLambdaFullAccess策略时,它可以完全访问许多AWS功能,包括所有S3。这是AWSLambdaFullAccess策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "s3:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    }
  ]
}

大部分都没问题。我如何将其更改为新策略,以便我只能访问“arn:aws:s3 ::: lambda-scripts”存储桶?

2 个答案:

答案 0 :(得分:3)

我能想到的最直接的编辑方法是从您拥有的语句中删除“s3:*”操作,并添加第二个语句,授予S3访问权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    },
    {
        "Sid": "S3LambdaScripts",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::lambda-scripts*"
        ]
    }
  ]
}

更好的答案是您真的不应该使用预定义的AWSLambdaFullAccess权限。相反,使用针对您真正需要的服务和资源的多个语句构建自己的语句。例如,你真的使用Dynamo,Kinesis,Cognito等吗?是的,这很乏味。但是,如果您将较小的增量保存为IAM中的用户定义策略,则可以更轻松地将自定义和预定义内容的合理策略拼凑在一起。

答案 1 :(得分:0)

将S3权限拆分为单独的语句,并修改这些语句的资源设置。像这样:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    },
    {
       "Effect":"Allow",
       "Action":[
          "s3:ListBucket",
          "s3:GetBucketLocation"
       ],
       "Resource":"arn:aws:s3:::lambda-scripts"
      },
    {
     "Effect": "Allow",
     "Action": [        
       "s3:PutObject",
       "s3:GetObject",
       "s3:DeleteObject"
     ],
     "Resource": "arn:aws:s3:::lambda-scripts/*"
    }
  ]
}
相关问题
最新问题