了解IAM政策

时间:2018-12-15 08:40:18

标签: amazon-web-services amazon-s3 amazon-iam

我最近在使用代码构建时遇到了使用IAM策略的problem。而且,我试图了解以下两种策略之间的区别,并检查使用版本2而不是版本1是否有安全隐患。

版本1不起作用,所以我决定使用版本2。但是为什么版本2起作用,为什么版本1不起作用?

版本1仅提供对CodePipeline资源的访问,并允许读写S3存储桶对象。

但是版本2可以访问所有S3存储桶,不是吗?这会被视为安全漏洞吗?

版本1 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        }
    ]
}

版本2 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
    ]
}

1 个答案:

答案 0 :(得分:1)

我已经通过授予对特定S3存储桶的受限访问来复制该方案。

块1:允许所需的Amazon S3控制台权限。在这里,我已授予CodePipeline列出AWS账户中的所有存储桶。

第2块:允许列出根文件夹中的对象,这里我的S3存储桶名称为“ aws-codestar-us-east-1-493865049436-larvel-test-pipe”

但是当我遵循从创建CodePipeline到从同一Pipeline Console本身创建构建的步骤时,我感到惊讶,我得到了与您的版本1相同的策略,并且它也执行了。但是,下一步,我按照下面的策略对S3中的存储桶赋予了特定的权限,并且该存储桶已经起作用。因此,在第二个版本中,而不是授予对资源Resource“:” *“的所有权限,您可以将权限限制为仅特定于存储桶的权限,如以下示例策略

中所述 
{
   "Version": "2012-10-17",
   "Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-us-east-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*" 
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]
}
相关问题
最新问题