访问其他帐户的 S3 IAM 策略
S3 IAM Policy to access other account
我们需要创建一个 IAM 用户,允许访问我们客户的 S3 帐户中的存储桶(前提是他们也允许我们访问这些存储桶)。
我们已使用以下内联策略在我们的帐户中创建了一个 IAM 用户:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
除此之外,我们将要求我们的客户使用以下策略并将其应用于他们的相关存储桶:
{
"Version": "2008-10-17",
"Id": "Policy1416999097026",
"Statement": [
{
"Sid": "Stmt1416998971331",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::client-bucket-name/*"
},
{
"Sid": "Stmt1416999025675",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::client-bucket-name"
}
]
}
虽然这一切似乎都运行良好,但我们发现的一个主要问题是我们自己的内部内联策略似乎允许我们的 iam 用户完全访问我们自己的所有内部存储桶。
我们是否配置错误,或者我们是否遗漏了其他明显的信息?
您授予内部用户的策略允许该用户访问所列 API 的所有 S3 存储桶(您问题中的第一个策略)。这是不必要的,因为您客户端的存储桶策略将授予您的用户访问客户端存储桶所需的权限。
要解决您的问题,请删除用户策略 - 或者 - 在允许的 [资源] 列表中明确地删除您客户的存储桶,而不是使用“*”
根据 AWS 支持,这不是解决问题的正确方法:
https://forums.aws.amazon.com/message.jspa?messageID=618606
我在这里复制他们的答案。
AWS:
The policy you're using with your IAM user grants access to any Amazon S3 bucket. In this case this will include any S3 bucket in your account and any bucket in any other account, where the account owner has granted your user access. You'll want to be more specific with the policy of your IAM user. For example, the following policy will limit your IAM user access to a single bucket.
You can also grant access to an array of buckets, if the user requires access to more than one.
我
Unfortunately, we don't know beforehand all of our client's bucket names when we create the inline policy. As we get more and more clients to our service, it would be impractical to keep adding new client bucket names to the inline policy.
I guess another option is to create a new AWS account used solely for the above purpose - i.e. this account will not itself own anything, and will only ever be used for uploading to client buckets.
Is this acceptable, or are there any other alternatives options open to us?
AWS
Having a separate AWS account would provide clear security boundaries. Keep in mind that if you ever create a bucket in that other account, the user would inherit access to any bucket if you grant access to "arn:aws:s3:::*".
Another approach would be to use blacklisting (note whitelisting as suggested above is a better practice).
As you can see, the 2nd statement explicitly denies access to an array of buckets. This will override the allow in the first statment. The disadvantage here is that by default the user will inherit access to any new bucket. Therefore, you'd need to be diligent about adding new buckets to the blacklist. Either approach will require you to maintain changes to the policy. Therefore, I recommend my previous policy (aka whitelisting) where you only grant access to the S3 buckets that the user requires.
结论
出于我们的目的,白色 listing/blacklisting 方法是不可接受的,因为我们之前不知道我们的客户将提供的所有桶。最后,我们选择了为单个用户创建一个新的 AWS 帐户,而该用户没有自己的 s3 存储桶
我们需要创建一个 IAM 用户,允许访问我们客户的 S3 帐户中的存储桶(前提是他们也允许我们访问这些存储桶)。
我们已使用以下内联策略在我们的帐户中创建了一个 IAM 用户:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
除此之外,我们将要求我们的客户使用以下策略并将其应用于他们的相关存储桶:
{
"Version": "2008-10-17",
"Id": "Policy1416999097026",
"Statement": [
{
"Sid": "Stmt1416998971331",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::client-bucket-name/*"
},
{
"Sid": "Stmt1416999025675",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::client-bucket-name"
}
]
}
虽然这一切似乎都运行良好,但我们发现的一个主要问题是我们自己的内部内联策略似乎允许我们的 iam 用户完全访问我们自己的所有内部存储桶。
我们是否配置错误,或者我们是否遗漏了其他明显的信息?
您授予内部用户的策略允许该用户访问所列 API 的所有 S3 存储桶(您问题中的第一个策略)。这是不必要的,因为您客户端的存储桶策略将授予您的用户访问客户端存储桶所需的权限。
要解决您的问题,请删除用户策略 - 或者 - 在允许的 [资源] 列表中明确地删除您客户的存储桶,而不是使用“*”
根据 AWS 支持,这不是解决问题的正确方法: https://forums.aws.amazon.com/message.jspa?messageID=618606
我在这里复制他们的答案。
AWS:
The policy you're using with your IAM user grants access to any Amazon S3 bucket. In this case this will include any S3 bucket in your account and any bucket in any other account, where the account owner has granted your user access. You'll want to be more specific with the policy of your IAM user. For example, the following policy will limit your IAM user access to a single bucket.
You can also grant access to an array of buckets, if the user requires access to more than one.
我
Unfortunately, we don't know beforehand all of our client's bucket names when we create the inline policy. As we get more and more clients to our service, it would be impractical to keep adding new client bucket names to the inline policy.
I guess another option is to create a new AWS account used solely for the above purpose - i.e. this account will not itself own anything, and will only ever be used for uploading to client buckets.
Is this acceptable, or are there any other alternatives options open to us?
AWS
Having a separate AWS account would provide clear security boundaries. Keep in mind that if you ever create a bucket in that other account, the user would inherit access to any bucket if you grant access to "arn:aws:s3:::*".
Another approach would be to use blacklisting (note whitelisting as suggested above is a better practice).
As you can see, the 2nd statement explicitly denies access to an array of buckets. This will override the allow in the first statment. The disadvantage here is that by default the user will inherit access to any new bucket. Therefore, you'd need to be diligent about adding new buckets to the blacklist. Either approach will require you to maintain changes to the policy. Therefore, I recommend my previous policy (aka whitelisting) where you only grant access to the S3 buckets that the user requires.
结论 出于我们的目的,白色 listing/blacklisting 方法是不可接受的,因为我们之前不知道我们的客户将提供的所有桶。最后,我们选择了为单个用户创建一个新的 AWS 帐户,而该用户没有自己的 s3 存储桶