我的一个 AWS 账户中有一个 s3 存储桶,名为 ACCID1。我想允许 root 和一个特定用户 USER1 对其具有完全访问权限。从另一个账户 ACCID2,我拥有 IAM 角色,我想将其附加到 EC2 实例并仅允许从该 IAM 角色进行访问。 角色是备份完全访问(读、写和删除)。 我已创建以下存储桶策略,但无法通过使用上述 IAM 角色(在 ACCID2 中)启动的 EC2 实例访问该存储桶。 我可以从 EC2 实例中以 ACCID1 中的 USER1 身份使用它,并执行列表、创建和删除操作。
{
"Version":"2012-10-17",
"Id":"BackupBucketPolicy",
"Statement":[
{
"Sid":"DenyAllOther",
"Effect":"Deny",
"NotPrincipal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root",
"arn:aws:iam::ACCID2:role/backup-full-access"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"DevAccountRootFullAccess",
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"GraphBackupReadWriteDeleteAccess",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::ACCID2:role/backup-full-access"
},
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
IAM 角色 backup-full-access 具有策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt2",
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
我不明白这里出了什么问题。 任何帮助将不胜感激。
最佳答案
首先,您不需要拒绝所有其他策略,因为 S3 存储桶权限默认为拒绝。
其次,您需要在创建时将backup-full-access角色的类型设置为跨账户访问角色。
最后,你的角色策略应该写成:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::test-nr-6"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::test-nr-6/*"
}
]
}
关于amazon-web-services - aws s3 存储桶策略未按预期工作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41634662/