IAM 和跨账户写入 S3 存储桶:允许基于组织 ID 的服务主体
IAM & Cross-account write to S3 bucket: Allow service principal based on organisation ID
我有很多 AWS 账户。我为所有这些启用了 VPC 流日志,我想将这些日志发送到我的日志存档帐户中的中央 S3 存储桶。
一个有效的 IAM 策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",],
"Resource": "arn:aws:s3:::central_log_archive_bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": <account_id-1>,
"aws:SourceAccount": <account_id-2>,
"aws:SourceAccount": <account_id-3>,
...
"aws:SourceAccount": <account_id-N>
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:*:<account_id-1>:*",
"aws:SourceArn": "arn:aws:logs:*:<account_id-2>:*",
"aws:SourceArn": "arn:aws:logs:*:<account_id-3>:*",
...
"aws:SourceArn": "arn:aws:logs:*:<account_id-N>:*",
}
}
}
]
}
我想简化这个。我不想像上面那样添加所有帐户 ID,而是希望允许属于我组织下的 AWS 帐户的任何 VPC 服务将日志发布到 S3。简而言之,我想做类似的事情:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",],
"Resource": "arn:aws:s3:::central_log_archive_bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "ID"
}
}
}
]
}
但我看到以下错误消息:
Unsupported Condition Key for Service Principal
知道如何进行这项工作吗?
如此处所述https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html、
某些服务主体不能使用某些条件键。例如,您不能将 aws:PrincipalOrgID 条件键与服务主体 cloudfront.amazonaws.com. 或其他服务(如日志)一起使用。您应该删除不适用于 Principal 元素中的服务主体的条件键。
您可以在创建每个帐户时使用 lambda 自动执行它,例如,更改存储桶策略...
我有很多 AWS 账户。我为所有这些启用了 VPC 流日志,我想将这些日志发送到我的日志存档帐户中的中央 S3 存储桶。
一个有效的 IAM 策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",],
"Resource": "arn:aws:s3:::central_log_archive_bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": <account_id-1>,
"aws:SourceAccount": <account_id-2>,
"aws:SourceAccount": <account_id-3>,
...
"aws:SourceAccount": <account_id-N>
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:*:<account_id-1>:*",
"aws:SourceArn": "arn:aws:logs:*:<account_id-2>:*",
"aws:SourceArn": "arn:aws:logs:*:<account_id-3>:*",
...
"aws:SourceArn": "arn:aws:logs:*:<account_id-N>:*",
}
}
}
]
}
我想简化这个。我不想像上面那样添加所有帐户 ID,而是希望允许属于我组织下的 AWS 帐户的任何 VPC 服务将日志发布到 S3。简而言之,我想做类似的事情:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",],
"Resource": "arn:aws:s3:::central_log_archive_bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "ID"
}
}
}
]
}
但我看到以下错误消息:
Unsupported Condition Key for Service Principal
知道如何进行这项工作吗?
如此处所述https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html、
某些服务主体不能使用某些条件键。例如,您不能将 aws:PrincipalOrgID 条件键与服务主体 cloudfront.amazonaws.com. 或其他服务(如日志)一起使用。您应该删除不适用于 Principal 元素中的服务主体的条件键。
您可以在创建每个帐户时使用 lambda 自动执行它,例如,更改存储桶策略...