我有一个关于 AWS S3 存储桶策略的查询
I have a Query about AWS S3 bucket policy
我在账户 A 中有一个 AWS S3 存储桶,这个存储桶是由 AWS Control Tower 创建的。
并用于从我组织中的所有其他帐户收集日志,
我试图了解类似这样的存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
现在我组织中的所有其他帐户都能够在此 S3 中转储 cloudtrail 日志。
但是我没有得到一件事,我没有指定任何特定或个人的帐号,但是其他帐户仍然可以在这个桶中写入内容,
虽然我确实看到主体提到了可以转储的相关服务名称,但它应该只针对这个帐户本身吗?
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
第一个“*”启用所有帐号。
我们来一一分析规则:
第一条规则只说明没有 SSL 就无法访问,如果存在 SSL 层则它什么都不做:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
接下来的两个动作只允许读取:
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
所以唯一允许写入的动作是这个:
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
上面写着:你可以把object放在/o-1234/AWSLogs下,只要你是以下两个AWS服务之一:Config或Cloudtrail。
显然,如果知道存储桶名称和组织 ID 允许我说服 Config 或 Cloudtrail 使用该存储桶,除了这些服务内部的一些内部保护之外,我看不出有什么能阻止我这样做。
基于此文档:
似乎要允许帐户 111111111111 写入该存储桶,您应该使用以下 ARN 模式:"arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/111111111111/*",
所以@izayoi的回答虽然没有给出任何解释,但仍然是正确的。 Cloudtrail 服务应向您保证它将始终在日志中使用该帐户 ID,因此您可以通过列出所有帐号来缩小访问范围。当然,每个新帐户都必须对其进行更新。
结论:是的,知道存储桶名称和您的组织 ID 应该允许世界上的每个 AWS 帐户使用您的存储桶来使用当前策略进行 Cloudtrail 日志记录...很有趣。我可能会列出您的帐号。
我在账户 A 中有一个 AWS S3 存储桶,这个存储桶是由 AWS Control Tower 创建的。 并用于从我组织中的所有其他帐户收集日志,
我试图了解类似这样的存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
现在我组织中的所有其他帐户都能够在此 S3 中转储 cloudtrail 日志。 但是我没有得到一件事,我没有指定任何特定或个人的帐号,但是其他帐户仍然可以在这个桶中写入内容, 虽然我确实看到主体提到了可以转储的相关服务名称,但它应该只针对这个帐户本身吗?
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
第一个“*”启用所有帐号。
我们来一一分析规则:
第一条规则只说明没有 SSL 就无法访问,如果存在 SSL 层则它什么都不做:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
接下来的两个动作只允许读取:
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
所以唯一允许写入的动作是这个:
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
上面写着:你可以把object放在/o-1234/AWSLogs下,只要你是以下两个AWS服务之一:Config或Cloudtrail。
显然,如果知道存储桶名称和组织 ID 允许我说服 Config 或 Cloudtrail 使用该存储桶,除了这些服务内部的一些内部保护之外,我看不出有什么能阻止我这样做。
基于此文档:
似乎要允许帐户 111111111111 写入该存储桶,您应该使用以下 ARN 模式:"arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/111111111111/*",
所以@izayoi的回答虽然没有给出任何解释,但仍然是正确的。 Cloudtrail 服务应向您保证它将始终在日志中使用该帐户 ID,因此您可以通过列出所有帐号来缩小访问范围。当然,每个新帐户都必须对其进行更新。
结论:是的,知道存储桶名称和您的组织 ID 应该允许世界上的每个 AWS 帐户使用您的存储桶来使用当前策略进行 Cloudtrail 日志记录...很有趣。我可能会列出您的帐号。