AWS S3 存储桶策略:如何授予对 EC2 实例的访问权限?
AWS S3 Bucket Policy: How to grant access to EC2 instance?
我真的很苦恼,AWS 官方文档根本帮不上忙!
我设置了一个 S3 存储桶,它允许 public 从几个指定的 IP 地址进行访问。这是有效的自定义策略:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1111111111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
]
}
现在不只允许上述2个ip地址访问bucket中的资源,我还想让我的EC2实例访问它。
我遵循了这个文档:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
我按照确切的步骤操作。
我创建了一个新的 IAM 角色,(arn: "arn:aws:iam::1223123156:role/EC2-to-S3")
我也已将该角色附加到我的 EC2 实例。
但是在第 6 步中:
6. In your bucket policy, edit or remove any Effect: Deny
statements that are denying the IAM instance profile access to
your bucket. For instructions on editing policies,
see Editing IAM policies.
我该怎么做?它指示我查看另一个关于编辑 IAM 策略的文档,但它没有帮助!!!
如何删除任何拒绝 IAM 实例配置文件访问我的存储桶的“效果:拒绝”语句?
我应该使用什么关键字?
这是我尝试过的:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
{
"Sid": "Stmt1111112222",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1639460338435",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
}
}
]
}
这是行不通的。我仍然遇到“拒绝访问”错误。
文档可以更具体一点吗?
为什么用 aws docs 完成这么基本的任务这么难??
终于成功了:
{
"Version": "2012-10-17",
"Id": "Policy1111111",
"Statement": [
{
"Sid": "Stmt11111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1222222222",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234556:role/EC2-to-S3"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*"
}
]
}
所以诀窍是完全删除拒绝语句,因为默认情况下一切都被拒绝访问。
我之前的编辑:
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
StringNotEquals 部分不会删除 iam 角色的默认拒绝。
如果可能,您应该避免使用 Deny 语句,因为它们会覆盖任何 Allow 语句。
您的第一个存储桶政策是这样说的:
Deny 如果请求不是来自给定的 IP 地址,则访问存储桶Allow 如果请求来自给定的 IP 地址,则访问存储桶
不幸的是,Deny 将禁止从 EC2 实例访问,因为它不是列出的 IP 地址之一。
而不是使用 Deny,只需在需要时授予 Allow 访问权限。默认情况下拒绝访问 S3,因此只有 Allow 策略授予用户访问权限,用户才能获得访问权限。
要授予对实例的访问权限,请创建 iam 实例配置文件并将其附加到您的 EC2 实例。
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
我真的很苦恼,AWS 官方文档根本帮不上忙!
我设置了一个 S3 存储桶,它允许 public 从几个指定的 IP 地址进行访问。这是有效的自定义策略:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1111111111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
]
}
现在不只允许上述2个ip地址访问bucket中的资源,我还想让我的EC2实例访问它。
我遵循了这个文档:https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
我按照确切的步骤操作。
我创建了一个新的 IAM 角色,(arn: "arn:aws:iam::1223123156:role/EC2-to-S3")
我也已将该角色附加到我的 EC2 实例。
但是在第 6 步中:
6. In your bucket policy, edit or remove any Effect: Deny
statements that are denying the IAM instance profile access to
your bucket. For instructions on editing policies,
see Editing IAM policies.
我该怎么做?它指示我查看另一个关于编辑 IAM 策略的文档,但它没有帮助!!!
如何删除任何拒绝 IAM 实例配置文件访问我的存储桶的“效果:拒绝”语句?
我应该使用什么关键字?
这是我尝试过的:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
{
"Sid": "Stmt1111112222",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1639460338435",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
}
}
]
}
这是行不通的。我仍然遇到“拒绝访问”错误。
文档可以更具体一点吗? 为什么用 aws docs 完成这么基本的任务这么难??
终于成功了:
{
"Version": "2012-10-17",
"Id": "Policy1111111",
"Statement": [
{
"Sid": "Stmt11111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1222222222",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234556:role/EC2-to-S3"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*"
}
]
}
所以诀窍是完全删除拒绝语句,因为默认情况下一切都被拒绝访问。
我之前的编辑:
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
StringNotEquals 部分不会删除 iam 角色的默认拒绝。
如果可能,您应该避免使用 Deny 语句,因为它们会覆盖任何 Allow 语句。
您的第一个存储桶政策是这样说的:
Deny如果请求不是来自给定的 IP 地址,则访问存储桶Allow如果请求来自给定的 IP 地址,则访问存储桶
不幸的是,Deny 将禁止从 EC2 实例访问,因为它不是列出的 IP 地址之一。
而不是使用 Deny,只需在需要时授予 Allow 访问权限。默认情况下拒绝访问 S3,因此只有 Allow 策略授予用户访问权限,用户才能获得访问权限。
要授予对实例的访问权限,请创建 iam 实例配置文件并将其附加到您的 EC2 实例。 https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/