我试图将对S3存储桶的访问限制为单个EC2角色。我已将以下存储桶策略附加到存储桶,并且该存储桶的公共访问权限已关闭。但是,当应用该策略时,我仍然可以使用实例中的curl来访问存储桶,而无需附加角色。谁能让我知道我在想什么?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
}
]
}
答案 0 :(得分:0)
我相信以下S3政策应能胜任。请记住用正确的角色替换角色arn,我假设它已附加到您的EC2实例中。另外,请确保您的ec2角色具有执行列表,获取,放置,删除操作的正确策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExplicitDenyAllActions",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowListForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "AllowDeleteGetPutForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": [
"s3:Delete*",
"s3:Get*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowAllActionForUser",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/USERNAME"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
}
]
}
有用的文档,您可以在其中找到更多信息-> AWS docs on s3 policies