首页 文章

S3 Private Bucket

提问于
浏览
0

我正在尝试创建一个访问受限的私有S3存储桶 . 我只希望自己作为用户和EC2角色来访问存储桶 . 存储桶的目的是存储加密的SSH密钥,这些密钥将复制到自动缩放组中的计算机上 . 现在,当我对桶运行aws同步时,这是输出:

cogility@ip-10-10-200-113:~$ aws s3 sync s3://sshfolder.companycloud.com/cogility /home/cogility/.ssh
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa to ../cogility/.ssh/id_rsa An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa.pub to ../cogility/.ssh/id_rsa.pub An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

我使用具有以下权限的EC2角色创建EC2实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Get*",
                "kms:Describe*"
            ],
            "Resource": "arn:aws:kms:us-west-2:0000000000:key/kms-id-01234567890"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::sshfolder.companycloud.com/*",
                "arn:aws:s3:::sshfolder.companycloud.com"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*",
                "ec2:*",
                "cloudwatch:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "lambda:List*",
                "lambda:Invoke*",
                "lambda:Get*"
            ],
            "Resource": "*"
        }
    ]
}

以下是存储桶策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::sshfolder.companycloud.com",
                "arn:aws:s3:::sshfolder.companycloud.com/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id
                        "AROAXXXXXXXXXXXXXXXXX",
                        "AIDAXXXXXXXXXXXXXXXXX",
                        "AIDAXXXXXXXXXXXXXXXXX"
                    ],
                    "aws:sourceVpce": "vpce-abc82480d"
                },
                "ArnNotLike": {
                    "aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::sshfolder.companycloud.com",
                "arn:aws:s3:::sshfolder.companycloud.com/*"
            ]
        }
    ]
}

知道为什么我无法从我的EC2实例访问S3存储桶吗?

amazon-web-services amazon-s3 amazon-ec2

2 回答

  • 1

    默认情况下,Amazon S3存储桶是私有的 . 因此,一种方法是:

    • 不要使用Bucket Policy

    • 为您的IAM用户和IAM角色添加权限以访问存储桶

    或者:

    • 使用存储桶策略授予对IAM用户和IAM角色的访问权限

    两者都足以满足您的需求 .

    但是,如果你进一步偏执,有人可能会意外地授予对存储桶的访问权限(例如使用 s3:** 的主体),那么明确拒绝访问除用户和角色之外的任何人的方法是一种很好的方法 .

    回复于
  • 0

    拒绝特朗普允许你的桶政策 . 您需要使用非主体来实现此目的 .

    "Statement": [
    {
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": "arn:aws:iam::000000000000:root"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::sshfolder.companycloud.com",
            "arn:aws:s3:::sshfolder.companycloud.com/*"
        ],
        "Condition": {
            "StringNotLike": {
                "aws:userId": [
                    "AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id
                    "AROAXXXXXXXXXXXXXXXXX",
                    "AIDAXXXXXXXXXXXXXXXXX",
                    "AIDAXXXXXXXXXXXXXXXXX"
                ],
                "aws:sourceVpce": "vpce-abc82480d"
            },
            "ArnNotLike": {
                "aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/"
            }
        }
    }
]

    它只是颠倒了主要元素 . 您可以根据需要类似地使用NotAction和NotResource . 你可以完全取消你的条件,只使用NotPrincipal,它通常比条件更好 .

    这是一个资源:https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/

    回复于

相关问题