Question

我有一个VPC，其VPC端点与特定的路由表（例如RTB1）相关联。 Subnet1使用RTB1，而Subnet2不使用。

如果我将策略附加到S3存储桶，请按照以下策略指定vpc-ID：

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPC-only",
      "Principal": "*",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": ["arn:aws:s3:::my_secure_bucket",
                   "arn:aws:s3:::my_secure_bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpc": "vpc-111bbb22"
        }
      }
    }
  ]
}

这是否将允许Subnet2中的实例访问S3存储桶？即使这些实例未通过RBT1路由，RBT1仍具有vpc-endpoint条目？

Answer 1

以下是该行为的摘要：

Scenario: Assume there is 
- 1 VPC, vpc-111bbb22 
- 3 subnets 
    *subnet-1111 behind s3 vpc endpoint vpce-1111, 
    *subnet-2222 behind s3 vpce-2222 and 
    *subnet-3333 which is not associated with any vpc endpoint. 
- 1 S3 bucket named my_secure_bucket (NOTE: this bucket has to be in the same region as the VPC/VPC endpoints)

Using the above bucket policy, the accessibility is as follows:
subnet-1111 - can access
subnet-2222 - can access
subnet-3333 - cannot access

S3存储桶的VPC访问策略

1 个答案: