如何为 S3 访问日志目标存储桶创建具有 sourceIP 限制的存储桶策略?
[英]How to create a bucket policy with sourceIP restriction for S3 Access Log target bucket?
问题描述
I have created one S3 bucket and have enabled server access logging.
我创建了一个 S3 存储桶并启用了服务器访问日志记录。 There is another S3 bucket which is the target bucket for server access log delivery of the first bucket I mentioned.还有一个S3 bucket,就是我说的第一个bucket的server access log delivery的目标bucket。
Now there is a requirement to keep sourceIP restriction on the target bucket's policy, so the policy on the target bucket is somewhat as below -现在需要对目标存储桶的策略保持源 IP 限制,因此目标存储桶的策略如下 -
{
"Version": "2012-10-17",
"Id": "Policy1234567890",
"Statement": [
{
"Sid": "Allow-only-specific-sourceIPs",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::log-target-bucket-xyz",
"arn:aws:s3:::log-target-bucket-xyz/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"10.0.0.1",
"10.0.0.2"
]
},
"StringNotEquals": {
"aws:sourceVpce": "vpce-1234xyz",
"aws:username": "xyz-user"
}
}
}
]
}
But with this policy the server access logs aren't getting delivered to the bucket.但是使用此策略,服务器访问日志不会传送到存储桶。 This policy is supposed to allow S3 actions to only the source IPs, vpc endpoints and username in condition.此策略应该只允许 S3 操作符合条件的源 IP、vpc 端点和用户名。
The target bucket has following ACL also:目标存储桶还具有以下 ACL:
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "WRITE"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "READ_ACP"
}
The Problem is: The S3 server access logs are not getting generated and I need to keep the sourceIP, vpce restriction on the target bucket.问题是:没有生成 S3 服务器访问日志,我需要在目标存储桶上保留 sourceIP、vpce 限制。 The problem resolves If I remove the restrictions from bucket policy.如果我从存储桶策略中删除限制,问题就会解决。 But can't seem to find a solution to have logs generated with the restrictions.但似乎无法找到解决方案来生成带有限制的日志。
Edit: Tried the following condition, but didn't work:编辑:尝试了以下条件,但没有用:
"StringNotLikeIfExists": {
"s3:x-amz-grant-write": "acs.amazonaws.com/groups/s3/LogDelivery"
}
Please let me know if anyone has any solution or suggestions to solve this problem.如果有人有解决此问题的任何解决方案或建议,请告诉我。 Any help is very much appreciated.很感谢任何形式的帮助。
Thanks!谢谢!
1 个解决方案
解决方案1
0 2021-01-13 18:00:33
Your policy should be a combination if NotIpAddressIfExists and StringNotEqualsIfExists conditions as described in:您的策略应该是NotIpAddressIfExists和StringNotEqualsIfExists条件的组合,如以下所述:
{
"Version": "2012-10-17",
"Id": "Policy1234567890",
"Statement": [
{
"Sid": "Allow-only-specific-sourceIPs",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::log-target-bucket-xyz",
"arn:aws:s3:::log-target-bucket-xyz/*"
],
"Condition": {
"NotIpAddressIfExists": {
"aws:SourceIp": [
"10.0.0.1",
"10.0.0.2"
]
},
"StringNotEqualsIfExists": {
"aws:sourceVpce": "vpce-1234xyz",
"aws:username": "xyz-user"
}
}
}
]
}
This is very well explained in this question's s3-bucket-security-open-access-restricted-by-public-ip-and-vpc-endpoint这在这个问题的s3-bucket-security-open-access-restricted-by-public-ip-and-vpc-endpoint 中得到了很好的解释
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.