仅允许从特定Lambda访问文件[s3]

时间:2016-10-14 11:29:07

标签: amazon-web-services amazon-s3 aws-lambda

s3存储桶(静态网络托管)有一定的策略拒绝访问每个人的某个文件。

我如何仅允许特定的 lambda函数来访问它? (仅使用存储桶策略)

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Authentication",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "NotResource": "arn:aws:s3:::web/auth.html"
      }
  ]
}

更新:使用此更改先前的政策会产生所需的结果

{
    "Version": "2012-10-17",
    "Id": "Policy1477651215159",
    "Statement": [
        {
            "Sid": "Console administration",
            "Effect": "Allow",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::XXXX:role/role_lambda"
            },
            "Action": "s3:GetObject",
            "NotResource": "arn:aws:s3:::web/auth.html"
        }
    ]
}

2 个答案:

答案 0 :(得分:2)

Lambda函数在执行角色中运行。您可以为lambda函数创建客户IAM角色。见this

然后,您可以使用该IAM角色授予对该S3对象的访问权限。有关要遵循的步骤,请参阅此article

答案 1 :(得分:1)

这是一个CloudFormation代码段。您可以使用以下Lambda政策声明允许S3角色访问IAM

"LambdaRolePolicy" : {
    "Type": "AWS::IAM::Policy",
    "Properties": {
        "PolicyName": "Lambda",
        "PolicyDocument": {
            "Statement" : [ {
                "Action" : [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Effect" : "Allow",
                "Resource" : {
                    "Fn::Join": [ "", [
                        "arn:aws:s3:::",
                        { "Ref": "S3Bucket" },
                        "/*"
                    ] ]
                }
            } ]
        },
        "Roles" : [ { "Ref": "RootRole" } ]
    }
}

S3Bucket资源是您的S3广告资源,RootRoleLambda角色。