[英]How to lockdown S3 bucket to specific users and IAM role(s)
In our environment, all IAM user accounts are assigned a customer-managed policy that grants read-only access to a lot of AWS services. 在我们的环境中,所有IAM用户帐户都分配有客户管理的策略,该策略授予对许多AWS服务的只读访问权限。 Here's what I want to do:
这是我想做的:
Here's the requirements according to AWS: 这是根据AWS的要求:
So far, I've done the following: 到目前为止,我已经完成了以下工作:
Created a policy under the name "rds-s3-policy" with these settings: 使用以下设置以名称“ rds-s3-policy”创建策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::test-bucket/" }, { "Effect": "Allow", "Action": [ "s3:GetObjectMetaData", "s3:GetObject", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::test-bucket/*" } ] }
Assigned the policy to the role 将策略分配给角色
With no restrictions on my S3 bucket, I can perform the restore just fine; 不受S3存储桶的限制,我可以执行恢复。 however, I can't find a solid way of restricting access to the bucket without hindering the RDS service from doing the restore.
但是,我找不到在不妨碍RDS服务执行还原的情况下限制对存储桶的访问的可靠方法。
In terms of my attempts to restrict access to the S3 bucket, I found a few posts online recommending using an explicit Deny statement to deny access to all types of principals and grant access based on some conditional statements. 关于限制访问S3存储桶的尝试,我在线上找到了一些帖子,建议使用显式的Deny语句来拒绝对所有类型的主体的访问,并基于某些条件语句来授予访问权限。
Here's the contents of my bucket policy: 这是我的存储桶策略的内容:
{
"Version": "2012-10-17",
"Id": "Policy1486769843194",
"Statement": [
{
"Sid": "Stmt1486769841856",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"<root_id>",
"<user1_userid>",
"<user2_userid>",
"<user3_userid>",
"<role_roleid>:*"
]
}
}
}
]
}
I can confirm the bucket policy does restrict access to only the IAM users that I specified, but I am not sure how it treats IAM roles. 我可以确认存储桶策略确实将访问权限限制为仅指定了IAM用户,但是我不确定它如何对待IAM角色。 I used the :* syntax above per a document I found on the aws forums where the author stated the ":*" is a catch-all for every principal that assumes the specified role.
我在aws论坛上找到的每个文档都使用了上面的:*语法,在该文档中,作者说“:*”是承担指定角色的每个主体的全部内容。
The only thing I'm having a problem with is, with this bucket policy in place, when I attempt to do the database restore, I get an access denied error. 我唯一有问题的是,有了这个存储桶策略,当我尝试进行数据库还原时,出现了拒绝访问错误。 Has anyone ever done something like this?
有没有人做过这样的事情? I've been going at it all day and haven't been able to find a working solution.
我整天都在忙着,还没有找到可行的解决方案。
The following, admittedly, is guesswork... but reading between the lines of the somewhat difficult to navigate IAM documentation and elsewhere, and taking into account the way I originally interpreted it (incorrectly), I suspect that you are using the role's name rather than the role's ID in the policy. 坦白地说,以下内容只是猜测而已...但是在阅读有些困难的IAM文档和其他地方的内容之间,并考虑到我最初对它的理解(错误地),我怀疑您使用的是角色名称 ,而不是策略中角色的ID 。
Role IDs look similar to AWSAccessKeyIds except that they begin with AROA...
. 角色ID看起来类似于AWSAccessKeyId,但它们以
AROA...
开头。
For the given role, find RoleId
in the output from this: 对于给定的角色,在此输出中找到
RoleId
:
$ aws iam get-role --role-name ROLE-NAME
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
Use caution when creating a broad Deny
policy. 创建广泛的
Deny
策略时请谨慎。 You can end up denying s3:PutBucketPolicy
to yourself, which leaves you in a situation where your policy prevents you from changing the policy... in which case, your only recourse is presumably to persuade AWS support to remove the bucket policy. 您最终
s3:PutBucketPolicy
对自己拒绝s3:PutBucketPolicy
,这使您处于策略阻止您更改策略的情况下……在这种情况下,您唯一的办法就是说服AWS支持删除存储桶策略。 A safer configuration would be to use this to deny only the object-level permissions. 一种更安全的配置是使用它仅拒绝对象级权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.