堆栈内存溢出
  简体   繁体   English

将对s3存储桶的访问限制为仅特定ec2实例

[英]restrict access to s3 bucket only to specific ec2 instances

 原文  2017-10-13 05:22:18       amazon-s3/ amazon-ec2/ s3-bucket

问题描述

I have generated the below policy but it still allows all other ec2 instances to access my bucket. 我已经生成了以下策略,但它仍然允许所有其他ec2实例访问我的存储桶。 what change should I make to this policy? 我应该对此政策进行哪些更改? what I want is my bucket to be accessible only to the instance I have mentioned and not to any other instance 我想要的是我的存储桶只能由我提到的实例访问,而不能由任何其他实例访问 

{
  "Id": "Policy1507871740101",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1507871738318",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/*,
      "Principal": {
        "AWS":"arn:aws:ec2:region:userid:instance/instanceid"
      }
    }
  ]
}

2 个解决方案

解决方案1
 0  2017-10-13 17:03:15

You cannot specify instance ID but you can specify IP address in an S3 policy. 您不能指定实例ID,但可以在S3策略中指定IP地址。

However, you have another problem. 但是,您还有另一个问题。 If your EC2 instances can already access S3, either you have made the bucket public or you have assigned a role to the instance granting permission. 如果您的EC2实例已经可以访问S3,则说明已将存储桶公开,或者您已将角色分配给实例授予权限。 Review this first. 首先复习一下。 Find your security holes first. 首先找到您的安全漏洞。

Below is an example policy for S3 using IP addresses to grant or deny access: 以下是S3使用IP地址授予或拒绝访问的示例策略: 

    {
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}

解决方案2
 0  2017-10-13 20:42:23

Just to make it more clear: as was mentioned, you should: 只是为了更清楚一点:如前所述,您应该:

  • remove the bucket policy 删除存储桶策略
  • create an EC2 role instead 创建一个EC2角色
  • attach that role to the instances you want to have access 将该角色附加到您要访问的实例上
  • edit the role policy 编辑角色政策

Sample is below: 示例如下: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::"
        }
    ]
}

Feel free to edit the first statement to add/remove necessary actions. 随意编辑第一条语句以添加/删除必要的操作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许从特定帐户的所有EC2实例访问S3存储桶 - Allow access to S3 Bucket from all EC2 instances of specific Account Amazon S3 存储桶策略:如何仅锁定对您的 EC2 实例的访问 - Amazon S3 Bucket Policy: How to lock down access to only your EC2 Instances 使用 ec2 实例标签限制对 S3 存储桶的 ec2 实例访问 - Restrict ec2 instance access on S3 bucket using ec2 instance tags 是否可以将来自EC2实例的访问限制为仅使用来自特定帐户的S3存储桶? - Is it possible to restrict access from EC2 instance to use only S3 buckets from specific account? 如何将 AWS S3 存储桶的访问权限限制为特定角色? - How to restrict access to an AWS S3 bucket only to a specific role? 如何将Windows EC2实例复制到AWS中的S3存储桶? - How to copy Windows EC2 instances to S3 bucket in AWS? S3存储桶应该与EC2实例位于同一区域吗? - Should S3 bucket be in the same region as EC2 instances? 限制s3存储桶对特定区域的访问 - Restrict s3 bucket access to specific regions 授予 EC2 实例访问 S3 存储桶的权限 - Grant EC2 instance access to S3 Bucket Python无法通过EC2实例访问S3存储桶 - Python can not access S3 bucket through EC2 instance
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM