我有一个Web应用程序,用户(使用ID令牌JWT通过Cognito登录)可以从S3上传/下载文件。用户只能访问与其组织相关的S3资源。为此,我正在考虑按组织划分S3路径:
"arn:aws:s3:::my_bucket/org1"
"arn:aws:s3:::my_bucket/org2"
"arn:aws:s3:::my_bucket/org3"
如何保护S3路径(“文件夹”)的安全性,使用户只能访问其组织的资源?我做了一些研究,请参阅下面的选项-但是有更简单的方法吗?这似乎是一个相当普遍的用例。谢谢!
编辑:我最初想到使用JWT声明(下面的#1)。但是,对于我而言,AWS更喜欢使用“身份池”来解决这一问题。这很有意义,因为您可以将不同的IdP(例如Auth0)连接到Identiy池,并使用Identity(Identity Role-> Identity Policy)来设置策略。因此,我将尝试一下并报告是否可行。
User 1 has JWT with claim "organization: organization1"
User 2 has JWT with claim "organization: organization2"
etc.
示例存储桶策略[1](不确定语法是否正确)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${cognito-identity.amazonaws.com:organization}/*"]}} // here
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:organization}/*"] // here
}
]
}
类似这样的事情...
User | Cognito Group | IAM Role | IAM Policy S3 resource Mapping
user1 | organization1 | OrgRole | my-bucket/organization1/*
user2 | organization2 | OrgRole | my-bucket/organization1/*
user3 | organization2 | OrgRole | my-bucket/organization2/*
user4 | organization3 | OrgRole | my-bucket/organization3/*
此角色的示例IAM策略
"Resource": ["arn:aws:s3:::my_bucket/${current-users-cognito-group}/*"]
缺点:设置复杂,每个[0],每个用户池仅支持25个组,无法扩展。这让我觉得我的设置不正确。
[1] https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html