[英]AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
我正在与我的IT团队一起限制我的用户帐户(在root帐户下),以使其无法访问我不想访问的S3存储桶。 启用AWSLambdaFullAccess策略时,它将启用对许多AWS功能(包括所有S3)的完全访问权限。 这是AWSLambdaFullAccess策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分都很好。 如何将其作为一项新策略进行更改,以使我只能访问“ arn:aws:s3 ::: lambda-scripts”存储桶?
我能想到的最直接的编辑将涉及从您所拥有的语句中删除“ s3:*”操作,并添加第二条语句,以仅授予S3访问该存储桶的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "S3LambdaScripts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-scripts*"
]
}
]
}
更好的答案是,您实际上不应该使用预定义的AWSLambdaFullAccess权限。 相反,可以使用针对您真正需要的服务和资源的多个语句来构建自己的语句。 例如,您是否真的在使用Dynamo,Kinesis,Cognito等? 是的,这很乏味。 但是,如果将较小的增量保存为IAM中的用户定义策略,则可以更轻松地从自定义和预定义内容中组合合理的策略。
将S3权限拆分为单独的语句,然后修改这些语句的资源设置。 像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::lambda-scripts"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::lambda-scripts/*"
}
]
}
AWS IAM组策略将可见性和访问权限限制为仅一个Signed S3存储桶
[英]AWS IAM Group Policy to limit visibility & access to only one signle S3 bucket
如何使用 IAM 策略 AWS 仅向根账户用户授予对 S3 存储桶的访问权限?
[英]How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS?
允许用户访问特定 S3 存储桶以进行备份的 AWS IAM 策略
[英]AWS IAM Policy to allow user access to specific S3 bucket for backup
如何定义仅特定存储桶仅允许对该存储桶执行S3完全访问策略?
[英]How to define Specific Bucket Only Allow S3 Full Access Policy to that bucket only?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.