AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?
[英]AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
问题描述
I'm working with my IT team to restrict my user account (under a root account) so that it doesn't have access to S3 buckets I don't want access to. 
我正在与我的IT团队一起限制我的用户帐户(在root帐户下),以使其无法访问我不想访问的S3存储桶。 When enabling the AWSLambdaFullAccess policy, it enables full access to a lot of AWS features, including all of S3. 启用AWSLambdaFullAccess策略时,它将启用对许多AWS功能(包括所有S3)的完全访问权限。 Here is the AWSLambdaFullAccess policy: 这是AWSLambdaFullAccess策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
Most of that is fine. 大部分都很好。 How would I alter this as a new policy so that I only have access to the "arn:aws:s3:::lambda-scripts" bucket? 如何将其作为一项新策略进行更改,以使我只能访问“ arn:aws:s3 ::: lambda-scripts”存储桶?
2 个解决方案
解决方案1
3 已采纳 2016-03-02 17:04:05
The most direct edit I can think of would involve removing the "s3:*" action from the statement you have, and adding a second statement that grants S3 access to just that bucket. 我能想到的最直接的编辑将涉及从您所拥有的语句中删除“ s3:*”操作,并添加第二条语句,以仅授予S3访问该存储桶的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "S3LambdaScripts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-scripts*"
]
}
]
}
A better answer is that you really should not use the predefined AWSLambdaFullAccess permission. 更好的答案是,您实际上不应该使用预定义的AWSLambdaFullAccess权限。 Instead, build your own using multiple statements targeting the services and resources you really need. 相反,可以使用针对您真正需要的服务和资源的多个语句来构建自己的语句。 For example, are you really using Dynamo, Kinesis, Cognito, etc? 例如,您是否真的在使用Dynamo,Kinesis,Cognito等? Yes, it's tedious. 是的,这很乏味。 But if you save the smaller increments as user-defined policies in IAM, it gets easier to piece together a reasonable policy from custom and predefined stuff. 但是,如果将较小的增量保存为IAM中的用户定义策略,则可以更轻松地从自定义和预定义内容中组合合理的策略。
解决方案2
0 2016-03-02 17:03:58
Split the S3 permissions into separate statements, and modify the resource setting for those statements. 将S3权限拆分为单独的语句,然后修改这些语句的资源设置。 Something like this: 像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::lambda-scripts"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::lambda-scripts/*"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.