堆栈内存溢出
  简体   繁体   English

跨账户访问特定 AWS 账户中的 S3 存储桶的 IAM 角色策略

[英]IAM Role policy for cross account access to S3 bucket in a specific AWS account

 原文  2021-01-21 02:01:05       amazon-web-services/ amazon-s3/ amazon-iam

问题描述

Allow access from IAM Role in AccountA to given S3 buckets only if they are present in AWS AccountB (using Account Number).仅当 AWS AccountB中存在给定的 S3 存储桶时才允许从AccountA中的 IAM 角色访问(使用帐号)。

Here is my Role policy in AccountA which currently has following permission.这是我在AccountA中的角色策略,目前具有以下权限。 How can I update it to only access S3 bucket in AccountB .如何将其更新为仅访问AccountB中的 S3 存储桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::kul-my-bucket/my-dir/*"
            ]
        },
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::kul-my-bucket"
            ]
        }
    ]
}

Wondering if it is possible or should I try it differently?想知道是否有可能或者我应该尝试不同的方法吗?

Is anything similar to this possible for my case by providing the condition in the policy:通过在政策中提供条件,我的情况是否可能与此类似:

"Condition": {
                "StringLike": {
                    "aws:accountId": [
                        "111111111111"
                    ]
                }
            }

I need this because on the S3 bucket in AccountB it allows root access to AccountA .我需要这个,因为在AccountB的 S3 存储桶上,它允许root访问AccountA Hence I want to put restriction on Role policy in AccountA .因此,我想限制AccountA中的角色策略。

1 个解决方案

解决方案1
 2  2021-01-21 03:10:22

I do not think it is possible to grant/deny access to an Amazon S3 bucket based on an AWS Account number.我认为不可能根据 AWS 帐号授予/拒绝对 Amazon S3 存储桶的访问权限。 This is because Amazon S3 ARNs exclude the Account ID and instead use the unique bucket name.这是因为 Amazon S3 ARN 不包括账户 ID,而是使用唯一的存储桶名称。

You would need to grant Allow access specifically to each bucket by name.您需要按名称专门授予允许访问每个存储桶的权限。

I have seen this situation before where the requirement was to grant S3 permission to access buckets only in other accounts , but not the account owning the IAM User themselves.我之前见过这种情况,要求授予 S3 权限以仅访问其他账户中的存储桶,而不是拥有 IAM 用户自己的账户。 We could not determine a way to do this without also granting permission to access the "same account" S3 buckets.如果不授予访问“相同帐户”S3 存储桶的权限,我们无法确定执行此操作的方法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 适用于跨账户访问的AWS S3存储桶控制策略 - AWS S3 bucket control policy for cross-account access 允许 S3 访问同一账户中特定 IAM 角色的 IAM 策略 - IAM policy to allow S3 access to specific IAM role in the same account 如何使用 IAM 策略 AWS 仅向根账户用户授予对 S3 存储桶的访问权限? - How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS? 为什么我的 S3 存储桶策略拒绝跨账户访问? - Why is my S3 bucket policy denying cross account access? S3 IAM策略以访问其他帐户 - S3 IAM Policy to access other account Kube.netes 服务帐户的跨帐户 IAM 角色 - s3 存储桶 - Cross account IAM roles for Kubernetes service account - s3 bucket 来自同一 AWS 角色的跨账户 S3 访问 - Cross account S3 access from the same AWS role 具有角色的S3跨帐户访问 - S3 Cross Account Access With Role 如何使用简单的 s3 存储桶策略授予对加密存储桶的跨账户访问权限? - How do I grant cross account access to an encrypted bucket with a simple s3 bucket policy? AWS S3 存储桶 - 允许从特定 AWS 账户将文件下载到每个 IAM 和用户 - AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM