我在一个AWS账户中有一个s3存储桶说ACCID1 . 我想允许root用户和一个特定用户USER1对其拥有完全访问权限 . 从另一个帐户,ACCID2,我有IAM角色,我想附加到EC2实例,并且只允许从该IAM角色进行访问 . 角色是备份 - 完全访问(读取,写入和删除) . 我创建了以下存储桶策略,但是无法通过以上IAM角色启动的EC2实例访问存储桶(在ACCID2中) . 我可以将它从EC2实例中用作来自ACCID1的USER1并执行列表,创建和删除 .
{
"Version":"2012-10-17",
"Id":"BackupBucketPolicy",
"Statement":[
{
"Sid":"DenyAllOther",
"Effect":"Deny",
"NotPrincipal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root",
"arn:aws:iam::ACCID2:role/backup-full-access"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"DevAccountRootFullAccess",
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"GraphBackupReadWriteDeleteAccess",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::ACCID2:role/backup-full-access"
},
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
IAM角色备份 - 完全访问具有以下策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt2",
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
我无法弄清楚这里出了什么问题 . 任何帮助,将不胜感激 .
1 回答
首先,您不需要deny-all-other策略,因为S3存储桶权限是默认拒绝的 .
其次,您需要在创建时将
backup-full-access角色的类型设置为 Role for Cross-Account Access .最后,您的角色政策应写为:
资料来源:Delegate Access Across AWS Accounts Using IAM Roles