将跨帐户角色的IAM用户限制为单个存储桶

时间:2020-06-22 00:40:55

标签: amazon-web-services amazon-s3 terraform amazon-iam

我希望我的Iam策略用于交叉帐户,仅能访问一个S3存储桶,如下面的示例所示,但是它失败,并且权限被拒绝。当我在AccountA中的控制台上切换到跨帐户角色并尝试访问accountB中的S3存储桶时,将发生失败。但是,当我更改Iam策略上的“资源”以允许所有操作时,我可以在accountB中查看S3存储桶。

xx.json 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "mysid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/*",
        "arn:aws:s3:::mybucket/"
      ]
    }
  ]
}

但是,当我更改Iam策略上的“资源”以允许所有操作时,我可以在accountB中查看S3存储桶。例如

xxx.json 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "mysid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*"
      ]
    }
  ]
}

但这不是我想要的。

使用的其他文件包括:

xx.tpl 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "${Sid}",
            "Effect": "${Effect}",
            "Action": "${Action}",
            "Resource": "${Resource}"
        }
    ]
}

xx.tf 

data "aws_iam_policy_document" "s3_write" {
  count         = length(var.s3_bucket_names)

  statement {
    actions   = ["s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutObjectAcl", "s3:List*", "s3:Get*", "s3:*"]
    resources = ["arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}/*", "arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}"]
    principals {
      identifiers = var.principals
      type        = "AWS"
    }
  }


resource "aws_s3_bucket_policy" "s3_lb" {
  count         = length(var.s3_bucket_names)
  bucket = aws_s3_bucket.mybucket[count.index].id
  policy = data.aws_iam_policy_document.s3_write[count.index].json
}

s3存储桶策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxx:role/test-role1",
                    "arn:aws:iam::xxxx:role/test-role2",
                    "arn:aws:iam::xxxx:role/test-role3",
                    "arn:aws:iam::xxxx-other:role/s3-list-role"
                ]
            },
            "Action": [
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:List*",
                "s3:Get*",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

2 个答案:

答案 0 :(得分:1)

我更改了此内容

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "mysid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/*",
        "arn:aws:s3:::mybucket/"
      ]
    }
  ]
}

对此:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

向我的IAM用户授予对控制台和CLI的跨帐户访问权限。控制台跨帐户访问需要第一条allow语句。

答案 1 :(得分:0)

如果arn:aws:iam :: xxxx:role / test-role1附加了此策略,则具有该角色的会话将可以访问存储桶:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "mysid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/*",
        "arn:aws:s3:::mybucket"
      ]
    }
  ]
}

S3存储桶策略授予此主体访问权限。问题是存储桶ARN(上方策略中列出的第二个资源)上的斜杠。

相关问题
最新问题