[英]AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
我正在與我的IT團隊一起限制我的用戶帳戶(在root帳戶下),以使其無法訪問我不想訪問的S3存儲桶。 啟用AWSLambdaFullAccess策略時,它將啟用對許多AWS功能(包括所有S3)的完全訪問權限。 這是AWSLambdaFullAccess策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分都很好。 如何將其作為一項新策略進行更改,以使我只能訪問“ arn:aws:s3 ::: lambda-scripts”存儲桶?
我能想到的最直接的編輯將涉及從您所擁有的語句中刪除“ s3:*”操作,並添加第二條語句,以僅授予S3訪問該存儲桶的權限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "S3LambdaScripts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-scripts*"
]
}
]
}
更好的答案是,您實際上不應該使用預定義的AWSLambdaFullAccess權限。 相反,可以使用針對您真正需要的服務和資源的多個語句來構建自己的語句。 例如,您是否真的在使用Dynamo,Kinesis,Cognito等? 是的,這很乏味。 但是,如果將較小的增量保存為IAM中的用戶定義策略,則可以更輕松地從自定義和預定義內容中組合合理的策略。
將S3權限拆分為單獨的語句,然后修改這些語句的資源設置。 像這樣:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::lambda-scripts"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::lambda-scripts/*"
}
]
}
AWS IAM組策略將可見性和訪問權限限制為僅一個Signed S3存儲桶
[英]AWS IAM Group Policy to limit visibility & access to only one signle S3 bucket
如何使用 IAM 策略 AWS 僅向根賬戶用戶授予對 S3 存儲桶的訪問權限?
[英]How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS?
允許用戶訪問特定 S3 存儲桶以進行備份的 AWS IAM 策略
[英]AWS IAM Policy to allow user access to specific S3 bucket for backup
如何定義僅特定存儲桶僅允許對該存儲桶執行S3完全訪問策略?
[英]How to define Specific Bucket Only Allow S3 Full Access Policy to that bucket only?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.