阻止sagemaker用户访问s3存储桶

时间:2018-04-25 23:43:38

标签: amazon-web-services amazon-s3 amazon-iam amazon-sagemaker

我正在尝试添加使用sagemaker的IAM用户。我使用了AmazonSageMakerFullAccess政策。但是当我以这个用户身份登录时,我可以看到root帐户的所有s3桶并从中下载文件。

sagemaker documentation

  

将AmazonSageMakerFullAccess策略附加到角色时,您必须执行以下操作之一以允许Amazon SageMaker访问您的S3存储桶:

     

在存储训练数据的存储桶名称中包含字符串“SageMaker”或“sagemaker”,或者模型训练产生的模型工件,或两者都包含。

     

在训练数据对象的对象名称中包含字符串“SageMaker”或“sagemaker”。

     

使用“sagemaker = true”标记S3对象。密钥和值是区分大小写的。有关更多信息,请参阅Amazon Simple Storage Service开发人员指南中的对象标记。

     

添加允许访问执行角色的存储桶策略。有关更多信息,请参阅Amazon Simple Storage Service开发人员指南中的使用存储桶策略和用户策略。

这似乎不准确,用户可以访问名称中缺少sagemaker的s3存储桶。如何限制访问?

完整政策低于

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "cloudwatch:PutMetricData",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:RegisterScalableTarget",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                }
            }
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        }
    ]
}

1 个答案:

答案 0 :(得分:0)

看起来像sagemaker笔记本向导,您创建的角色具有有限的s3访问权限。如果我添加此项并且默认AmazonSageMakerFullAccess,则会严格限制用户。 Amazon make sagemaker role

choose iam roles

相关问题
最新问题