我试图配置一个Kinesis Firehose传输流来将文件写入S3。我创建了Firehose流来使用名为att1
的角色。我需要将文件写入S3需要哪些AWS IAM角色策略?
这是附加到att
的配置的策略。我从此处采用了此页格式https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
我已验证该政策,但我不确定它是否正确。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:*",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:515766555555:key/cdee14ca-12b1-4790-9513-d007a3192f43"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.us-east-1.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::s3bucket*"
}
}
}
]
}
配置显然已经被编辑过的隐私设置,但除此之外,我认为在KMS您StringLike
条件关键的政策是错误的,这是直接从政策
相当肯定“S3:*”给出了这样的政策完全访问权限,周期。也许不是你想要的? – TheFiddlerWins
是的,这就是我的想法,但是在写入S3之前,数据流程中的所有内容都在运行。只是想看看这个政策的定义是不是问题 – simplycoding