允许VPC时,AWS S3存储桶AccessDenied

时间:2018-01-17 15:46:18

标签: amazon-web-services amazon-s3

我已经使用这样的存储桶策略设置了S3存储桶:

{
"Version": "2012-10-17",
"Id": "NginxProxy",
"Statement": [
    {
        "Sid": "AllowByVpc",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::test/*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpc": "vpc-cf53cba8"
            }
        }
    },
    {
        "Sid": "DenyByVpc",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::test/*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "185.24.222.124"
                ]
            },
            "StringNotEquals": {
                "aws:sourceVpc": "vpc-cf53cba8"
            }
        }
    }
]

}

当我在同一个VPC(vpc-cf53cba8)下的EC2实例上尝试命令curl -k -v --key client.key --cert client.crt -T abc.jpg http://test.s3.us-east-1.amazonaws.com/abc.jpg时,我得到了AccessDenied。

不幸的是,我不知道该关注什么。有什么想法吗?

1 个答案:

答案 0 :(得分:0)

我通过为S3添加VPC端点 - https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/

解决了这个问题