通过访问点将角色授权给 Amazon S3
Authorize a role to Amazon S3 through access point
目标是将 Amazon S3 读写(列出、获取、放置、删除)访问权限限制为单个角色并仅通过访问点访问 S3,并将存储桶策略锁定为仅访问点。
到目前为止我所做的设置是
- 将 s3 的部分(列出、获取、放置、删除)访问控制委托给访问点。
- 在访问点级别应用了显式拒绝以将访问限制为仅一个角色。
- 在那个角色中添加了一个允许它通过访问点列出、获取、放置、删除的策略。
但是有AccessDenied任何提到的操作经验
这是 S3 存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeS3ObjectsReadModifyThroughAccessPointsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::XXX-YYY-ZZZ/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:DataAccessPointArn": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
}
}
},
{
"Sid": "AuthorizeS3ObjectsListThroughAccessPointsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXX-YYY-ZZZ",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:DataAccessPointArn": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
}
}
}
]
}
这里是访问点策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeReadModifyS3ObjectsThroughSpecificRoleOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/object/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXX-YYY-ZZZ:role/XXX-YYY-ZZZ"
}
}
},
{
"Sid": "AuthorizeListS3ObjectsThroughSpecificRoleOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXX-YYY-ZZZ:role/XXX-YYY-ZZZ"
}
}
}
]
}
这是角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadModifyS3Objects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/object/*",
]
},
{
"Sid": "ListS3Objects",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
]
}
]
}
这不起作用 - AccessDenied。我正在使用适当的角色进行测试,例如使用此命令 aws s3 ls "s3://arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/"
奇怪的是,如果角色策略资源使用 S3 存储桶 ARN(如 arn:aws:s3:::XXX-YYY-ZZZ/* 和 arn:aws:s3:::XXX-YYY-ZZZ)扩展,那么访问和 s3 存储桶资源都存在 那么允许访问。如果删除任何 accesspoint 资源会使 AccessDenied 再次出现。无法理解这一点,似乎我遗漏了一些基本知识,非常感谢文档或 solution/advice.
中的任何指示
None 您的策略实际上允许 S3 中的操作。你只有否认。所以很自然地,您的角色没有访问 S3 的权限。来自 docs:
Permissions granted in an access point policy are only effective if the underlying bucket also allows the same access.
这意味着在您的访问点资源角色中拥有 Allow 还不够。
What is strange is that if the role policy resources are extended with S3 bucket
访问 S3 访问点的权限不能替代实际拥有访问 S3 的权限。因此,您的角色需要 S3 访问点的权限以及实际的 s3 存储桶和对象本身。
目标是将 Amazon S3 读写(列出、获取、放置、删除)访问权限限制为单个角色并仅通过访问点访问 S3,并将存储桶策略锁定为仅访问点。
到目前为止我所做的设置是
- 将 s3 的部分(列出、获取、放置、删除)访问控制委托给访问点。
- 在访问点级别应用了显式拒绝以将访问限制为仅一个角色。
- 在那个角色中添加了一个允许它通过访问点列出、获取、放置、删除的策略。
但是有AccessDenied任何提到的操作经验
这是 S3 存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeS3ObjectsReadModifyThroughAccessPointsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::XXX-YYY-ZZZ/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:DataAccessPointArn": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
}
}
},
{
"Sid": "AuthorizeS3ObjectsListThroughAccessPointsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXX-YYY-ZZZ",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:DataAccessPointArn": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
}
}
}
]
}
这里是访问点策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeReadModifyS3ObjectsThroughSpecificRoleOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/object/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXX-YYY-ZZZ:role/XXX-YYY-ZZZ"
}
}
},
{
"Sid": "AuthorizeListS3ObjectsThroughSpecificRoleOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXX-YYY-ZZZ:role/XXX-YYY-ZZZ"
}
}
}
]
}
这是角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadModifyS3Objects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/object/*",
]
},
{
"Sid": "ListS3Objects",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ"
]
}
]
}
这不起作用 - AccessDenied。我正在使用适当的角色进行测试,例如使用此命令 aws s3 ls "s3://arn:aws:s3:us-east-1:XXX-YYY-ZZZ:accesspoint/XXX-YYY-ZZZ/"
奇怪的是,如果角色策略资源使用 S3 存储桶 ARN(如 arn:aws:s3:::XXX-YYY-ZZZ/* 和 arn:aws:s3:::XXX-YYY-ZZZ)扩展,那么访问和 s3 存储桶资源都存在 那么允许访问。如果删除任何 accesspoint 资源会使 AccessDenied 再次出现。无法理解这一点,似乎我遗漏了一些基本知识,非常感谢文档或 solution/advice.
None 您的策略实际上允许 S3 中的操作。你只有否认。所以很自然地,您的角色没有访问 S3 的权限。来自 docs:
Permissions granted in an access point policy are only effective if the underlying bucket also allows the same access.
这意味着在您的访问点资源角色中拥有 Allow 还不够。
What is strange is that if the role policy resources are extended with S3 bucket
访问 S3 访问点的权限不能替代实际拥有访问 S3 的权限。因此,您的角色需要 S3 访问点的权限以及实际的 s3 存储桶和对象本身。