stackoom
  简体   繁体   中英

S3 IAM Policy to access other account

 原文  2015-04-21 10:17:43       amazon-web-services/ amazon-ec2/ amazon-s3/ amazon-iam

Question

We need to create an IAM user that is allowed to access buckets in our client's S3 accounts (provided that they have allowed us access to those buckets as well).

We have created an IAM user in our account with the following inline policy: 

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
               "s3:AbortMultipartUpload",
               "s3:PutObjectAcl",
               "s3:ListMultipartUploadParts",
               "s3:PutObject",
               "s3:ListBucketMultipartUploads",
               "s3:GetBucketLocation"
           ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

In addition to this, we will request that our clients use the following policy and apply it to their relevant bucket: 

{
    "Version": "2008-10-17",
    "Id": "Policy1416999097026",
    "Statement": [
        {
            "Sid": "Stmt1416998971331",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::229569340673:user/our-iam-user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObjectAcl",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::client-bucket-name/*"
        },
        {
            "Sid": "Stmt1416999025675",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::229569340673:user/our-iam-user"
            },
            "Action": [
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::client-bucket-name"
        }
    ]
}

Whilst this all seems to work fine, the one major issue that we have discovered is our own internal inline policy seems to give full access to our-iam-user to all of our own internal buckets.

Have we mis-configured something, or are we missing something else obvious here?

2 answers

solution1
 1 ACCPTED  2015-04-23 11:22:33

According to AWS support, this is not the right way to approach the problem: https://forums.aws.amazon.com/message.jspa?messageID=618606

I am copying the answer from them here.

AWS:

The policy you're using with your IAM user grants access to any Amazon S3 bucket. In this case this will include any S3 bucket in your account and any bucket in any other account, where the account owner has granted your user access. You'll want to be more specific with the policy of your IAM user. For example, the following policy will limit your IAM user access to a single bucket.

You can also grant access to an array of buckets, if the user requires access to more than one.

Me

Unfortunately, we don't know beforehand all of our client's bucket names when we create the inline policy. As we get more and more clients to our service, it would be impractical to keep adding new client bucket names to the inline policy.

I guess another option is to create a new AWS account used solely for the above purpose - ie this account will not itself own anything, and will only ever be used for uploading to client buckets.

Is this acceptable, or are there any other alternatives options open to us?

AWS

Having a separate AWS account would provide clear security boundaries. Keep in mind that if you ever create a bucket in that other account, the user would inherit access to any bucket if you grant access to "arn:aws:s3:::*".

Another approach would be to use blacklisting (note whitelisting as suggested above is a better practice).

As you can see, the 2nd statement explicitly denies access to an array of buckets. This will override the allow in the first statment. The disadvantage here is that by default the user will inherit access to any new bucket. Therefore, you'd need to be diligent about adding new buckets to the blacklist. Either approach will require you to maintain changes to the policy. Therefore, I recommend my previous policy (aka whitelisting) where you only grant access to the S3 buckets that the user requires.

Conclusion For our purposes, the white listing/blacklisting approach is not acceptable because we don't know before all the buckets that will be supplied by our clients. In the end, we went the route of creating a new AWS account with a single user, and that user does not have of its own s3 buckets

solution2
 -1  2015-04-22 07:07:16

The policy you grant to your internal user gives this user access to all S3 bucket for the API listed (the first policy in your question). This is unnecessary as your client's bucket policies will grant your user required privileges to access to client's bucket.

To solve your problem, remove the user policy - or - explicitly your client's bucket in the list of allowed [Resources] instead of using "*"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IAM policy to allow S3 access to specific IAM role in the same account IAM Role policy for cross account access to S3 bucket in a specific AWS account How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS? Lambda function to write into S3 - IAM policy to access S3 IAM Policy and S3 Policy AWS IAM group policy on S3 resource affecting other groups? IAM Policy: Users cannot access S3 bucket IAM Policy to determine S3 Bucket access based on user tags IAM policy on S3 bucket IAM Policy for S3 folder access based on Cognito ID
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM