创建仅S3用户

Question

我正在尝试创建仅S3用户，根据定义，该用户将无权访问任何其他资源。用户可以从S3上传和下载文件。我创建了一个基本模板，可以在这里找到...

https://github.com/shantanuo/aws-cloudformation-templates/blob/master/aws/services/IAM/IAM_Users_Groups_and_Policies.yaml

但是，在我的情况下，这允许不必访问cloudformation。我已经阅读了以下页面，但是不知道如何将它们包含在模板中。

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

https://docs.aws.amazon.com/AWSCloudForation/latest/UserGuide/aws-properties-iam-group.html

创建仅S3用户的最低参数是什么？

---

更新： 这是我尝试过的cloudformation代码以及出现的错误：

错误消息：以下资源创建失败：[CFNRole，CFNUser]。 。用户请求回滚。

模板：

Parameters:
  NewUsername:
    NoEcho: 'false'
    Type: String
    Description: New account username
    MinLength: '1'
    MaxLength: '41'
    ConstraintDescription: the username must be between 1 and 41 characters
  Password:
    NoEcho: 'true'
    Type: String
    Description: New account password
    MinLength: '1'
    MaxLength: '41'
    ConstraintDescription: the password must be between 1 and 41 characters

Resources:
  CFNUser:
    Type: AWS::IAM::User
    Properties:
      LoginProfile:
        Password: !Ref 'Password'
      UserName : !Ref 'NewUsername'
  CFNRole:
    Type: AWS::IAM::Role
    Properties :
      PermissionsBoundary : arn:aws:iam::aws:policy/AmazonS3FullAccess
      RoleName : 'myPermissionBoundary'
  CFNKeys:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'CFNUser'

Outputs:
  AccessKey:
    Value: !Ref 'CFNKeys'
    Description: AWSAccessKeyId of new user
  SecretKey:
    Value: !GetAtt [CFNKeys, SecretAccessKey]
    Description: AWSSecretAccessKey of new user

我已经检查了此链接，但不确定如何在当前模板中包括该策略。 https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/

Answer 1

您明确允许新用户访问模板中的Cloudformation。 您具有以下部分：

  CFNUserPolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CFNUsers
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action: ['cloudformation:Describe*', 'cloudformation:List*', 'cloudformation:Get*']
          Resource: '*'
      Groups: [!Ref 'CFNUserGroup']
  CFNAdminPolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CFNAdmins
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action: cloudformation:*
          Resource: '*'
Groups: [!Ref 'CFNAdminGroup']

其中的allow语句专门提供对Cloudformation的访问。如果您要授予对s3的访问权限，那么为什么要授予对Cloudformation的访问权限？

如果您希望用户只能访问s3，并进一步访问一个特定的s3存储桶，则您的策略应如下所示（请注意，此内容位于json中）：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET",
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

如果您希望用户可以访问所有存储桶，则您的策略应如下所示：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1557048549844",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

查看此来源：https://objectivefs.com/howto/how-to-restrict-s3-bucket-policy-to-only-one-aws-s3-bucket