用于访问 s3 存储桶的 IAM 策略允许意外的对象获取操作
IAM policy for access to s3 bucket allows unintended object get operations
给定这些桶键:
我的-permtest/
my-permtest/rootfile.txt
my-permtest/Finance
my-permtest/Finance/financefile.txt
my-permtest/Collections
my-permtest/Collections/collectionfile.txt
my-permtest/Shared
my-permtest/Shared/sharedfile.txt
此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowedListAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-permtest",
"arn:aws:s3:::my-permtest/Collections",
"arn:aws:s3:::my-permtest/Shared"
]
},
{
"Sid": "AllowAllObjectActionsNotExplicitlyDenied",
"Effect": "Allow",
"Action": [
"s3:*Object*"
],
"Resource": [
"arn:aws:s3:::my-permtest/*"
]
},
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance"
]
}
]
}
为什么我可以在 s3://my-permtest/Finance/financefile.txt 上执行获取和放置?
我希望 "Sid": "DenyAllFinanceAccess" 块应该禁止此访问。
原来这个很简单。
我还需要拒绝对财务键下所有对象的所有操作
具体来说,
"Sid": "DenyAllFinanceAccess",
块需要修改为:
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance",
"arn:aws:s3:::my-permtest/Finance/*"
]
}
给定这些桶键:
我的-permtest/
my-permtest/rootfile.txt
my-permtest/Finance
my-permtest/Finance/financefile.txt
my-permtest/Collections
my-permtest/Collections/collectionfile.txt
my-permtest/Shared
my-permtest/Shared/sharedfile.txt
此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowedListAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-permtest",
"arn:aws:s3:::my-permtest/Collections",
"arn:aws:s3:::my-permtest/Shared"
]
},
{
"Sid": "AllowAllObjectActionsNotExplicitlyDenied",
"Effect": "Allow",
"Action": [
"s3:*Object*"
],
"Resource": [
"arn:aws:s3:::my-permtest/*"
]
},
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance"
]
}
]
}
为什么我可以在 s3://my-permtest/Finance/financefile.txt 上执行获取和放置? 我希望 "Sid": "DenyAllFinanceAccess" 块应该禁止此访问。
原来这个很简单。 我还需要拒绝对财务键下所有对象的所有操作 具体来说,
"Sid": "DenyAllFinanceAccess",
块需要修改为:
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance",
"arn:aws:s3:::my-permtest/Finance/*"
]
}