在使用我的EC2 Instance IDS作为存储分区策略的条件时,我正在调试 AccessDenied 错误。当我尝试执行简单的 PutObject 时,以下存储桶策略会抛出Access Denied错误:
{
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": ["arn:aws:ec2:region:ACTUAL-ACCOUNT-ID:instance/ACTUAL-INSTANCE_ID"]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject", "s3:GetObjectVersion", "s3:PutObject",
"s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:PutObjectAcl",
"s3:PutObjectVersionAcl", "s3:DeleteObject", "s3:DeleteObjectVersion",
"s3:ListMultipartUploadParts", "s3:AbortMultipartUpload",
"s3:GetObjectTorrent", "s3:GetObjectVersionTorrent", "s3:RestoreObject"
],
"Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": ["arn:aws:ec2:region:ACTUAL-ACCOUNT-ID:instance/ACTUAL-INSTANCE_ID"]
}
}
}
]
}
但是,如果我将条件更改为实例的IP,我将不再收到错误,并且能够整天 PutObject 。
{
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "ACTUAL-IP-ADDRESS"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject", "s3:GetObjectVersion", "s3:PutObject",
"s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:PutObjectAcl",
"s3:PutObjectVersionAcl", "s3:DeleteObject", "s3:DeleteObjectVersion",
"s3:ListMultipartUploadParts", "s3:AbortMultipartUpload",
"s3:GetObjectTorrent", "s3:GetObjectVersionTorrent", "s3:RestoreObject"
],
"Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "ACTUAL-IP-ADDRESS"
}
}
}
]
}
我用来测试的命令是
echo "hi" | aws s3 cp - s3://ACTUAL-BUCKET-NAME/ACTUAL-FILE-NAME --no-sign-request --region us-east-1
我尝试了什么
我已尝试将条件更改为 ArnLike 而没有更好的结果。
我尝试修改ARN,因为我不确定是否需要将 region 或 accountid 替换为实际值,或者我是否可以将它们保留为'变量' - 但是,无所谓。
答案 0 :(得分:1)
这通常不是您提供EC2服务器访问S3存储桶的方式。您通常会通过将适当的IAM角色分配给EC2服务器而不是使用S3存储桶策略来实现此目的。
如果您必须通过存储桶策略完成此操作,我建议您阅读this question的答案。