我有一个只有用户有权访问的S3存储桶(“ myBucket”),我们将其称为“ s3user”。我对此用户附加了IAM策略,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myBucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}
我将此IAM策略附加到用户“ s3User”,从而授予对“ myBucket”的只读访问权限。到目前为止一切顺利。
现在,我添加了第二个策略,但现在不是IAM策略,而是S3存储桶策略,如下所示:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
我希望此明确拒绝将拒绝所有不是来自指定源IP范围的请求。但是,它仍然让我从其他IP列出存储桶的内容。桶策略似乎根本没有效果。
根据this AWS S3 article,当您有多个策略时,它们都会被应用,并且显式拒绝的优先级高于显式允许,因此我认为此应该有效,但它不起作用
有什么想法为什么我无法基于源IP地址拒绝对存储桶的请求?
谢谢!
答案 0 :(得分:2)
您应该更新Deny策略,使其包含对存储桶本身执行的操作,而不是其内容(/*):
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "DenyOutsideIPfromBucket",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": ["arn:aws:s3:::myBucket/*", "arn:aws:s3:::myBucket"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
当然,如果仅有访问该存储桶的用户是具有IAM策略的用户,则只需在原始IAM策略上添加一个IpAddress条件,这样他们就只能使用给定存储桶中的存储桶。 IP地址集。这样可以避免使用Deny策略。