AWS 托管服务的访问控制
[英]Access control for AWS Managed services
问题描述
Our organization is planning to use AWS Managed services like Rekognition, Textract etc. Since these services uses S3 buckets for Face comparison and analyzing documents.
我们的组织正计划使用 Rekognition、Textract 等 AWS 托管服务。因为这些服务使用 S3 存储桶进行人脸比较和分析文档。 The concern is end users shouldn't be able to access buckets outside our organization, is there any way I can limit the access for only S3 buckets in my organization?问题是最终用户不应该能够访问我们组织之外的存储桶,有什么方法可以限制我组织中仅 S3 存储桶的访问? Buckets can be created on the fly by the user, so the access control should cover all the buckets in the account.存储桶可以由用户动态创建,因此访问控制应覆盖账户中的所有存储桶。 We're also using VPC endpoints for these services.我们还将 VPC 端点用于这些服务。
1 个解决方案
解决方案1
0 2021-02-08 09:06:44
There is no capability to configure Rekognition such that it can only use buckets within the specific AWS Account.无法配置 Rekognition,使其只能使用特定 AWS 账户中的存储桶。
Objects in Amazon S3 are private by default.默认情况下,Amazon S3 中的对象是私有的。 IAM Users in your organization will only have access to buckets for which they have been granted access via a policy on their IAM User, or via a Bucket Policy on the bucket itself.您组织中的 IAM 用户将只能访问已通过其 IAM 用户的策略或存储桶本身的存储桶策略授予他们访问权限的存储桶。
If a user references an S3 object in a call to Amazon Rekognition, the user must have access to the bucket via an IAM Policy or Bucket Policy.如果用户在调用 Amazon Rekognition 时引用了 S3 object,则用户必须有权通过 IAM 策略或存储桶策略访问存储桶。 If they can access the object, then they can use the object with Rekognition.如果他们可以访问 object,那么他们可以将 object 与 Rekognition 一起使用。
In other words, if they have general access to an object (eg to download the object), then they can use Rekognition with it.换句话说,如果他们对 object 具有一般访问权限(例如,下载对象),那么他们可以将 Rekognition 与它一起使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.