[英]What's the alternatives to keep my s3 buckets secure in AWS?
Currently, I have an s3 bucket called stackoverflow2017
with some files: 目前,我有一个名为
stackoverflow2017
的s3存储桶,其中包含一些文件:
And, the ACL is configured as follow: 并且,ACL的配置如下:
As you can see the bucket is private and even my own account won't be able to access it. 如您所见,存储桶是私有的,即使我自己的帐户也无法访问它。
I can set a policy to the bucket as follow: 我可以为存储桶设置一个策略,如下所示:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
But, I want to know other alternatives. 但是,我想知道其他选择。
Question: What are the alternatives and best practices of course for granting access to developers, applications, Etc? 问题:授予开发人员,应用程序等的访问权限的方法和最佳做法是什么?
There are several ways to keep secure your buckets in s3, I can list these four Methods for applying permissions : 在s3中,有几种方法可以确保您的存储桶的安全,我可以列出这四种应用权限的方法 :
The list above follows a Permission Hierarchy the first one is the permission with more hierarchy and the last one will be overridden if of one of the previous permissions is present in your security configuration. 上面的列表遵循一个权限层次结构 ,第一个是具有更多层次结构的权限,如果安全配置中存在以前的权限之一,则最后一个将被覆盖。
Reference: How to secure an Amazon S3 Bucket 参考: 如何保护Amazon S3存储桶
IAM policies are used to grant access to users, groups, or roles — which are applied to other resources. IAM策略用于向用户,组或角色授予访问权限-这些权限已应用于其他资源。 If a user or an AWS resource (eg, specific set of EC2 instances, Lambda function, another account, etc.) needs to access one or more buckets, this is the way to go.
如果用户或AWS资源(例如,特定的EC2实例集,Lambda函数,另一个帐户等)需要访问一个或多个存储桶,则采用这种方法。 It also helps ensure that you're applying the principle of least privilege and only granting the permissions necessary.
它还有助于确保您应用最小特权原则,并且仅授予必要的权限。
Bucket policies apply to the bucket and the keys within that bucket. 存储桶策略适用于存储桶以及该存储桶中的密钥。 If the permissions you need to grant center around the data, bucket policies are the simplest way to accomplish that.
如果您需要授予的权限以数据为中心,则存储桶策略是完成此操作的最简单方法。 This is especially useful for when your bucket is enabled as a static website.
这对于将存储桶启用为静态网站时特别有用。 You can use a bucket policy to make everything in the bucket read-only.
您可以使用存储桶策略将存储桶中的所有内容设为只读。
Access control lists are hiding underneath the covers for all permissions methods. 访问控制列表隐藏在所有权限方法的封面之下。 ACLs are a fine-grained control that allow you to make exceptions to broader tools (like bucket and IAM policies) as needed.
ACL是一种细粒度的控件,可让您根据需要对更广泛的工具(例如存储桶和IAM策略)进行例外处理。 In my experience you'll rarely need to tweak specific ACLs but the ability is there and it makes sense in some application scenarios depending on your bucket/key strategy.
以我的经验,您几乎不需要调整特定的ACL,但是这种能力就存在,并且根据存储桶/密钥策略在某些应用程序场景中有意义。
Query string authentication and URL-based access are hidden gems in Amazon S3. 查询字符串身份验证和基于URL的访问是Amazon S3中的隐藏元素。 These methods allow you to grant permissions based on a specific URL.
这些方法使您可以基于特定的URL授予权限。 There are two common patterns for using this type of authentication;
使用这种身份验证有两种常见的模式:
This is a great method of securing providing one-time access to your Amazon S3 buckets. 这是一种安全的绝佳方法,可提供对Amazon S3存储桶的一次性访问。
This approach allows you to set an IAM policy to a group or user, you can do that either via CLI, API calls or through the AWS Console. 通过此方法,您可以为组或用户设置IAM策略 ,可以通过CLI,API调用或通过AWS Console进行设置。
Click on link developer
- press on button Add permissions
: 点击链接
developer
-点击按钮Add permissions
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Action": [
"s3:ListBucket",
"s3:ListObjects"
],
"Effect": "Allow", // Can be Denied
"Resource": "arn:aws:s3:::stackoverflow2017"
}
]
}
That Policy S3PolicyForDeveloper
grants to the user developer
the permissions for Listing Buckets
and Objects
within the bucket stackoverflow2017
. 该策略
S3PolicyForDeveloper
向用户developer
授予列出存储桶stackoverflow2017
中的存储Buckets
和Objects
的权限。
For setting policies to groups follow the same steps on Group list. 若要将策略设置为组,请遵循“组列表”上的相同步骤。
The following command shows how to assign an IAM policy to an IAM user. 以下命令显示如何将IAM策略分配给IAM用户。 Basically, will create a new IAM Policy called
S3PolicyForDeveloper
and immediately will attach it to the IAM user. 基本上,将创建一个名为
S3PolicyForDeveloper
的新IAM策略,并立即将其附加到IAM用户。
$ aws iam put-user-policy --user-name developer --policy-name S3PolicyForDeveloper --policy-document file:///policies/S3PolicyForDeveloper.json
On the other hand, imagine you want to attach an existing IAM policy to an IAM User, for doing that execute the following command: 另一方面,假设您想将现有的IAM策略附加到IAM用户,然后执行以下命令:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
The following command shows how to assign an IAM policy to an IAM group. 以下命令显示如何将IAM策略分配给IAM组。 Basically, will create a new IAM Policy called
S3PolicyForDeveloper
and immediately will attach it to the IAM group. 基本上,将创建一个名为
S3PolicyForDeveloper
的新IAM策略,并将其立即附加到IAM组。
$ aws iam put-group-policy --group-name developers --policy-document file:///policies/S3PolicyForDeveloper.json --policy-name S3PolicyForDeveloper
For attaching IAM Policy to groups, execute the following command: 要将IAM策略附加到组,请执行以下命令:
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
A bucket policy allows you to grant specific permissions to specific Buckets. 桶策略允许您向特定的桶授予特定的权限。 For example, you could grant access to your bucket either to a specific set of IP addresses, to a specific account in AWS, Etc.
例如,您可以将对存储桶的访问权限授予一组特定的IP地址,或者授予AWS中的特定帐户等。
This is a policy for bucket stackoverflow2017
: 这是存储桶
stackoverflow2017
的策略:
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
As you can see, the resource
key contains the ARN of bucket stackoverflow2017
plus /*
to indicate this policy is applied to the bucket's content, the Condition
key contains the Policy Conditions , in this case, this bucket could be read only from IP address 192.168.1.1
. 如您所见,
resource
密钥包含存储桶stackoverflow2017
的ARN加/*
表示此策略已应用于存储桶的内容, Condition
键包含策略条件 ,在这种情况下,该存储桶只能从IP地址192.168.1.1
读取192.168.1.1
。 The Principal
key contains the user, account, service, or other entity that is allowed or denied access to a resource, in this case to the specified bucket. Principal
密钥包含允许或拒绝访问资源(在这种情况下为指定存储桶)的用户,帐户,服务或其他实体。
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::stackoverflow2017/*"
},
{
"Sid": "Stmt1515865413838",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::stackoverflow2017"
}
]
}
The policy above allows to list/read
and put
new objects in the bucket stackoverflow2017
if only if the account doing the operation is 123456789
. 仅当执行此操作的帐户为
123456789
以上策略才允许list/read
新对象并将其put
存储桶stackoverflow2017
。
This approach allows you to set a Bucket policy to a bucket, you can do that either via CLI, API calls or through the AWS Console. 通过此方法,您可以为存储桶设置存储桶策略 ,您可以通过CLI,API调用或通过AWS控制台执行此操作。
Click on bucket stackoverflow2017
- click on tab Permissions - Click button Bucket Policy. 单击存储桶
stackoverflow2017
单击选项卡权限-单击按钮存储桶策略。
Paste the Bucket policy or you can generate it using the AWS Policy Generator . 粘贴存储桶策略,或者您可以使用AWS Policy Generator生成它。
The command bellow puts a new bucket policy to the bucket stackoverflow2017
using the file Stackoverflow2017.json
下面的命令使用文件
Stackoverflow2017.json
将新的存储桶策略添加到存储桶stackoverflow2017
$ aws s3api put-bucket-policy --bucket stackoverflow2017 --policy file://Stackoverflow2017.json
Hope it helps! 希望能帮助到你!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.