如何使用存储桶策略允许 S3 存储桶跨账户访问
How to allow S3 bucket cross account access using bucket policy
我正在为各种帐户使用以下存储桶策略,将日志推送到位于“ACCOUNT-ID-0”的集中式 S3 存储桶中:
我在 ACCOUNT-ID-0 中有此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/vpc-flow-logs/AWSLogs/{ACCOUNT-ID-01}/*",
"arn:aws:s3:::BUCKET-NAME/cloudtrail/AWSLogs/{ACCOUNT-ID-02}/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET-NAME"
}
]
}
我想获取位于“arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/abc.yaml”的文件
我正在尝试使用模板文件 abc.yaml 部署一致性包。
我是 运行 来自 ACCOUNT-ID-03 的 aws cli 命令,我收到此错误:
调用 PutOrganizationConformancePack 操作时发生错误 (InsufficientPermissionsException):S3 URI 的读取权限不足
有人可以帮我解决这里的存储桶策略吗?
您可以通过以下语句在 ACCOUNT-ID-0 中扩展当前的存储桶策略:
{
"Sid": "AllowReadsFromOtherAccount",
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT-ID-03"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/*"
}
请注意,您在 ACCOUNT-ID-03 中使用的 IAM user/role 还需要读取 s3 的权限。
我正在为各种帐户使用以下存储桶策略,将日志推送到位于“ACCOUNT-ID-0”的集中式 S3 存储桶中:
我在 ACCOUNT-ID-0 中有此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/vpc-flow-logs/AWSLogs/{ACCOUNT-ID-01}/*",
"arn:aws:s3:::BUCKET-NAME/cloudtrail/AWSLogs/{ACCOUNT-ID-02}/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET-NAME"
}
]
}
我想获取位于“arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/abc.yaml”的文件
我正在尝试使用模板文件 abc.yaml 部署一致性包。 我是 运行 来自 ACCOUNT-ID-03 的 aws cli 命令,我收到此错误: 调用 PutOrganizationConformancePack 操作时发生错误 (InsufficientPermissionsException):S3 URI 的读取权限不足
有人可以帮我解决这里的存储桶策略吗?
您可以通过以下语句在 ACCOUNT-ID-0 中扩展当前的存储桶策略:
{
"Sid": "AllowReadsFromOtherAccount",
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT-ID-03"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/*"
}
请注意,您在 ACCOUNT-ID-03 中使用的 IAM user/role 还需要读取 s3 的权限。