只有当用户来自S3桶源时,允许用户放置对象的IAM和桶策略是什么?
只有当用户来自S3桶源时,允许用户放置对象的IAM和桶策略是什么?
提问于 2022-07-17 13:53:31
目前,S3 GET和PUT操作允许用户将本地环境中的任何内容上传到S3存储桶中。我有兴趣对此加以限制。
想象一下我有两个桶:
- One称为
landing-zone,数据工程师可以使用它从本地环境或所有其他桶中获取和放置对象,而 - One则称为
analysis,它只能被数据分析人员用来放置源自landing-zone或analysisS3桶的对象。(理想情况下,分析师可以从landing-zone或analysisS3桶中获取数据,修改数据,并将其放入analysisS3中。)
。
我为landing-zone和analysis S3存储桶创建了单独的访问点,然后使用以下格式为每个分析用户创建了S3桶策略。
{
"Version": "2012-10-17",
"Statement" :
[
{
"Effect": "Allow",
"Principal" : {"AWS": "arn-user-analyst-name"},
"Action" : "s3:*",
"Resource" : "access-point-arn-landing-zone",
"Condition": {"StringEquals": {"s3:DataAccessPointAccount": "aws-account-id"}}
}
]
}然后,我为具有以下S3权限的分析人员创建了IAM访问策略。
...
{
"Sid": "AccessAllS3Settings",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketVersioning",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetObjectAcl",
"s3:ListAccessPointsForObjectLambda",
"s3:ListBucketMultipartUploads",
"s3:ListAccessPoints",
"s3:GetAccessPoint",
"s3:CreateAccessPoint",
"s3:ListJobs",
"s3:CreateJob",
"s3:ListStorageLensConfigurations",
"s3:PutStorageLensConfiguration",
"s3:ListMultipartUploadParts",
"s3:ListMultiRegionAccessPoints",
"s3:GetBucketPolicy",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "ap-southeast-2"}}
},
{
"Sid": "GetAllS3Buckets",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:GetObjectAttributes"
],
"Resource": [
"arn:aws:s3:::landing-zone",
"arn:aws:s3:::landing-zone/*",
"arn:aws:s3:::analysis",
"arn:aws:s3:::analysis/*"
],
"Condition": {"StringEquals": {"aws:RequestedRegion": "ap-southeast-2"}}
},
{
"Sid": "PutAnalysisS3BucketLimitedBySource",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::analysis",
"arn:aws:s3:::analysis/*"
],
"Condition": {
"StringEquals": {"aws:RequestedRegion": "ap-southeast-2"},
"ForAnyValue:StringEquals": {"s3:DataAccessPointArn": [
"access-point-arn-landing-zone>",
"access-point-arn-analysis>"
]}
}
}
...但是,当我作为分析师测试此策略时,将现有测试数据集从landing-zone复制到analysis S3桶将失败,即aws s3 cp s3://landing-zone/test.txt s3://analysis/test.txt --sse AES256生成An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied。
我可以在landing-zone中打开数据集到analysis S3存储桶。
我做错了什么?
回答 1
Stack Overflow用户
发布于 2022-07-21 02:04:47
您所收到的错误是针对CopyObject操作的,这与GetObject或PutObject不一样。
如果将s3:CopyObject添加到您的操作中,这应该会有效,但在当前的设置中,我相信这将允许分析师从landing-zone复制到analysis,反之亦然,这意味着分析师可以处理landing-zone中的数据。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73012365
复制相关文章
相似问题
腾讯云开发者
