限制管理员用户访问S3存储桶
[英]Restrict access to a S3 bucket to admin users
问题描述
I have a bucket that can be specifically accessed by a user with a particular policy attached to it. 
我有一个存储桶,用户可以通过特定的策略专门访问该存储桶。 Admin users, for example, with managed policies such as AdministratorAccess can of course access all resources and I would like to avoid that. 例如,具有诸如AdministratorAccess之类的托管策略的管理员用户当然可以访问所有资源,我希望避免这种情况。 Is the recommended approach that of locking down access via roles? 推荐的方法是通过角色锁定访问吗?
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
Thank you 谢谢
1 个解决方案
解决方案1
1 已采纳 2019-08-08 12:36:41
Amazon S3 buckets are private by default. 默认情况下,Amazon S3存储桶是私有的。
If you do not wish to grant certain users access to the bucket, then simply do not grant them access . 如果您不希望授予某些用户对该存储桶的访问权限,则只需不授予他们访问权限即可 。
If you are granting wildcard access to some users (eg Admins), you can add a Bucket Policy with Deny actions that prohibits access to the bucket for all but selected users (via a NotCondition ). 如果您向某些用户(例如Admins)授予通配符访问权限,则可以添加带有Deny操作的存储桶策略 ,该策略禁止所有非选定用户(通过NotCondition )访问存储桶。 A Deny will always override an Allow . Deny将始终覆盖Allow 。
However, you will need to code the policies carefully, since Admin users might have permission to modify such policies. 但是,由于管理员用户可能具有修改此类策略的权限,因此您需要仔细编写策略代码。
In situations where there is very sensitive information (eg HR data), some companies create a separate AWS Account where only specific users have access and Admin users do not have access . 在存在非常敏感的信息(例如HR数据)的情况下,某些公司会创建一个单独的AWS账户 ,其中只有特定用户有权访问,而Admin用户则没有访问权限 。 This takes more work, but is likely necessary for sensitive data. 这需要更多的工作,但对于敏感数据可能是必需的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.