AWS S3 拒绝除 1 个用户之外的所有访问 - 存储桶策略
[英]AWS S3 deny all access except for 1 user - bucket policy
问题描述
I have set up a bucket in AWS S3.
我已经在 AWS S3 中设置了一个存储桶。 I granted access to the bucket for my IAM user with an ALLOW policy (Using the Bucket Policy Editor).我使用 ALLOW 策略(使用存储桶策略编辑器)授予我的 IAM 用户访问存储桶的权限。 I was able to save files to the bucket with the user.我能够与用户一起将文件保存到存储桶中。 I have been working with the bucket for media serving before, so it seems the default action is to give public permission to view the files (images), which is fine for most web sites.我之前一直在使用存储桶进行媒体服务,因此默认操作似乎是授予公众查看文件(图像)的权限,这对大多数网站都适用。
In my new project I want to be able to access the S3 bucket with an IAM user but want to deny all other access.在我的新项目中,我希望能够使用 IAM 用户访问 S3 存储桶,但希望拒绝所有其他访问。 No public read access, no access whatsoever besides the IAM user who should have full access save/delete whatever.没有公共读取访问权限,除了应该拥有保存/删除任何内容的完全访问权限的 IAM 用户之外,没有任何访问权限。
What seems like I should do, I was reading about here .看起来我应该做什么,我正在阅读here 。 It says to create a Deny policy using the NotPrincipal attribute, and that way it will still allow that user, but deny everyone else.它说使用NotPrincipal属性创建Deny策略,这样它仍然会允许该用户,但拒绝其他所有人。 For good measure I also added an Allow policy just for the user I want:为了更好地衡量,我还为我想要的用户添加了一个Allow策略:
{
"Version": "2012-10-17",
"Id": "Policy**********",
"Statement": [
{
"Sid": "Stmt**********",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::*********:user/my_user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "Stmt*************",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::**********:user/my_user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_bucket/*"
}
]
}
But this is denying access to everyone even my_user .但这拒绝了所有人的访问,甚至是my_user 。 Again I can confirm that I had access when I just used the Allow portion of the policy above, but then the public also has read access, which I am trying to turn off.当我刚刚使用上述策略的Allow部分时,我可以再次确认我有访问权限,但是公众也有读取访问权限,我试图关闭它。
How can I set up my bucket policy to give full access to only the unique IAM user and deny all access to any other user?如何设置我的存储桶策略以仅向唯一的 IAM 用户授予完全访问权限,并拒绝向任何其他用户授予所有访问权限?
Thanks.谢谢。
2 个解决方案
解决方案1
5 已采纳 2016-10-04 22:24:51
It's quite simple:这很简单:
- By default, buckets have no public access默认情况下,存储桶没有公共访问权限
- Do NOT add a Bucket Policy , since you do not want to grant access public access不要添加 Bucket Policy ,因为您不想授予访问公共访问权限
- Instead, add a policy to the IAM User granting them access相反,向 IAM 用户添加一个授予他们访问权限的策略
The main thing to realise is that the IAM User cannot access content via unauthenticated URLS (eg s3.amazonaws.com/bucket/file.jpg ) because S3 doesn't know who they are.要意识到的主要事情是 IAM 用户无法通过未经身份验证的 URL(例如s3.amazonaws.com/bucket/file.jpg )访问内容,因为 S3 不知道他们是谁。 When the IAM User accesses the content, they will need to use authenticated access so that S3 knows who they are, such as:当 IAM 用户访问内容时,他们将需要使用经过身份验证的访问,以便 S3 知道他们是谁,例如:
- Accessing via the AWS Management Console using a Username + Password使用用户名 + 密码通过 AWS 管理控制台访问
- Accessing via the AWS Command-Line Interface (CLI) using an Access Key + Secret Key使用访问密钥 + 秘密密钥通过AWS 命令行界面 (CLI)进行访问
The policy on the IAM User would look something like: IAM 用户的策略如下所示:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
解决方案2
0 2021-06-23 04:14:15
If I understand correctly, allow access to buket only for 1 IAM user.如果我理解正确,请仅允许 1 个 IAM 用户访问 buket。 We can use the bucket policy.我们可以使用桶策略。 I got this in netApp documnetation.我在 netApp 文档中得到了这个。
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::95390887230002558202:federated-user/Bob"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"
]
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::95390887230002558202:federated-user/Bob"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"
]
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.