允许从特定VPC或控制台访问S3存储桶
[英]Allow S3 Bucket access from either specific VPC or console
问题描述
I have some app configuration stored in a file in an S3 bucket (api keys). 
我在S3存储桶(API密钥)的文件中存储了一些应用程序配置。 I have the S3 bucket configured to only allow access via a specific VPC endpoint, which ties the keys to specific environments, and prevents eg production keys being accidentally used in a staging or test environment. 我将S3存储桶配置为仅允许通过特定的VPC端点进行访问,该端点将密钥与特定环境联系在一起,并防止例如生产密钥在登台或测试环境中意外使用。
However occasionally I need to amend these keys, and it's a pain. 但是有时我需要修改这些键,这很痛苦。 Currently the bucket policy prevents console access, so I have to remove the bucket policy, update the file, then replace the policy. 当前存储桶策略阻止控制台访问,因此我必须删除存储桶策略,更新文件,然后替换该策略。
How can I allow access from the console, a specific VPC endpoint, and no where else? 如何允许从控制台,特定的VPC端点进行访问,而在其他地方没有访问权限?
Current policy, where I've tried and failed already: 目前的政策,我已经尝试过但失败了:
{
"Version": "2012-10-17",
"Id": "Policy12345",
"Statement": [
{
"Sid": "Principal-Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-keys-staging",
"arn:aws:s3:::my-keys-staging/*"
]
},
{
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-keys-staging",
"arn:aws:s3:::my-keys-staging/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-vpceid"
}
}
}
]
}
1 个解决方案
解决方案1
5 已采纳 2017-04-12 14:47:17
As mentioned in the comments, having an explicit Deny cannot be overridden. 如评论中所述,拥有明确的Deny不能被覆盖。 By including the Deny tied to a particular VPC, you cannot add any other Allow elements to counteract that Deny statement. 通过包含与特定VPC绑定的Deny ,您不能添加任何其他Allow元素来抵消该Deny语句。
Option 1 选项1
One option is to change your "deny if not from VPC abc" statement to "allow if from VPC abc". 一种选择是将“如果不是从VPC abc拒绝,则”语句更改为“如果从VPC abc拒绝,则允许”语句。 This would allow you to add additional Allow statements to your policy to allow you to access the bucket from elsewhere. 这将允许您向策略中添加其他Allow语句,以允许您从其他位置访问存储桶。
However, there are 2 very important caveats that goes along with doing that: 但是,这样做有两个非常重要的警告:
- Any user with "generic" S3 access via IAM policies would have access to the bucket, and 任何通过IAM策略具有“通用” S3访问权限的用户都可以访问该存储桶,并且
- Any role/user from said VPC would be allowed into your bucket. 该VPC中的任何角色/用户都将被允许进入您的存储桶。
So by changing Deny to Allow , you will no longer have a VPC-restriction at the bucket level. 因此,通过将Deny更改为Allow ,您将在存储桶级别不再具有VPC限制。
This may or may not be within your organization's security requirements. 这可能会或可能不会在您组织的安全要求之内。
Option 2 选项2
Instead, you can amend your existing Deny to add additional conditions which will work in an AND situation: 相反,您可以修改现有的Deny以添加其他条件,这些条件将在“与”情况下起作用:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-vpceid",
"aws:username": "your-username"
}
}
This type of condition will deny the request if: 在以下情况下,这种类型的条件将拒绝请求:
- The request is not coming from your magic VPC, AND 该请求不是来自您的魔术VPC,并且
- The request is not coming from YOUR username 该请求不是来自您的用户名
So you should be able to maintain the restriction of limiting requests to your VPC with the exception that your user sign-in would be allowed access to the bucket from anywhere . 因此,除了允许用户登录从任何地方访问存储桶之外,您应该能够限制对VPC的请求限制。
Note the security hole you are opening up by doing this. 注意执行此操作将打开的安全漏洞。 You should ensure you restrict the username to one that (a) does not have any access keys assigned, and (b) has MFA enabled. 您应该确保将用户名限制为(a)未分配任何访问密钥,并且(b)启用了MFA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.