[英]restrict access to s3 bucket only to specific ec2 instances
I have generated the below policy but it still allows all other ec2 instances to access my bucket. 我已经生成了以下策略,但它仍然允许所有其他ec2实例访问我的存储桶。 what change should I make to this policy?
我应该对此政策进行哪些更改? what I want is my bucket to be accessible only to the instance I have mentioned and not to any other instance
我想要的是我的存储桶只能由我提到的实例访问,而不能由任何其他实例访问
{
"Id": "Policy1507871740101",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1507871738318",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*,
"Principal": {
"AWS":"arn:aws:ec2:region:userid:instance/instanceid"
}
}
]
}
You cannot specify instance ID but you can specify IP address in an S3 policy. 您不能指定实例ID,但可以在S3策略中指定IP地址。
However, you have another problem. 但是,您还有另一个问题。 If your EC2 instances can already access S3, either you have made the bucket public or you have assigned a role to the instance granting permission.
如果您的EC2实例已经可以访问S3,则说明已将存储桶公开,或者您已将角色分配给实例授予权限。 Review this first.
首先复习一下。 Find your security holes first.
首先找到您的安全漏洞。
Below is an example policy for S3 using IP addresses to grant or deny access: 以下是S3使用IP地址授予或拒绝访问的示例策略:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
Just to make it more clear: as was mentioned, you should: 只是为了更清楚一点:如前所述,您应该:
Sample is below: 示例如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::"
}
]
}
Feel free to edit the first statement to add/remove necessary actions. 随意编辑第一条语句以添加/删除必要的操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.