S3 Private Bucket

Question

我正在尝试创建一个有限访问权的私人S3存储桶。我只想让自己成为用户和EC2角色来访问存储桶。存储桶的目的是存储将被复制到自动调节组中的计算机上的加密SSH密钥。现在，当我运行对斗AWS同步，这里是输出：

cogility@ip-10-10-200-113:~$ aws s3 sync s3://sshfolder.companycloud.com/cogility /home/cogility/.ssh 
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa to ../cogility/.ssh/id_rsa An error occurred (AccessDenied) when calling the GetObject operation: Access Denied 
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa.pub to ../cogility/.ssh/id_rsa.pub An error occurred (AccessDenied) when calling the GetObject operation: Access Denied 

我创建EC2实例与EC2角色具有以下权限：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "", 
      "Effect": "Allow", 
      "Action": [ 
       "kms:List*", 
       "kms:Get*", 
       "kms:Describe*" 
      ], 
      "Resource": "arn:aws:kms:us-west-2:0000000000:key/kms-id-" 
     }, 
     { 
      "Sid": "", 
      "Effect": "Allow", 
      "Action": "s3:*", 
      "Resource": [ 
       "arn:aws:s3:::sshfolder.companycloud.com/*", 
       "arn:aws:s3:::sshfolder.companycloud.com" 
      ] 
     }, 
     { 
      "Sid": "", 
      "Effect": "Allow", 
      "Action": [ 
       "elasticloadbalancing:*", 
       "ec2:*", 
       "cloudwatch:*", 
       "autoscaling:*" 
      ], 
      "Resource": "*" 
     }, 
     { 
      "Sid": "", 
      "Effect": "Allow", 
      "Action": [ 
       "lambda:List*", 
       "lambda:Invoke*", 
       "lambda:Get*" 
      ], 
      "Resource": "*" 
     } 
    ] 
} 

这里是斗政策：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Deny", 
      "Principal": "*", 
      "Action": "s3:*", 
      "Resource": [ 
       "arn:aws:s3:::sshfolder.companycloud.com", 
       "arn:aws:s3:::sshfolder.companycloud.com/*" 
      ], 
      "Condition": { 
       "StringNotLike": { 
        "aws:userId": [ 
         "AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id 
         "AROAXXXXXXXXXXXXXXXXX", 
         "AIDAXXXXXXXXXXXXXXXXX", 
         "AIDAXXXXXXXXXXXXXXXXX" 
        ], 
        "aws:sourceVpce": "vpce-abc82480d" 
       }, 
       "ArnNotLike": { 
        "aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/" 
       } 
      } 
     }, 
     { 
      "Effect": "Allow", 
      "Principal": { 
       "AWS": "arn:aws:iam::000000000000:root" 
      }, 
      "Action": "s3:*", 
      "Resource": [ 
       "arn:aws:s3:::sshfolder.companycloud.com", 
       "arn:aws:s3:::sshfolder.companycloud.com/*" 
      ] 
     } 
    ] 
} 

任何想法为什么我无法从我的EC2实例访问S3存储桶？

Answer 1

否决特权允许您的存储桶政策。你需要使用不是主体来实现这一点。

"Statement": [ 
    { 
     "Effect": "Deny", 
     "NotPrincipal": { 
      "AWS": "arn:aws:iam::000000000000:root" 
     }, 
     "Action": "s3:*", 
     "Resource": [ 
      "arn:aws:s3:::sshfolder.companycloud.com", 
      "arn:aws:s3:::sshfolder.companycloud.com/*" 
     ], 
     "Condition": { 
      "StringNotLike": { 
       "aws:userId": [ 
        "AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id 
        "AROAXXXXXXXXXXXXXXXXX", 
        "AIDAXXXXXXXXXXXXXXXXX", 
        "AIDAXXXXXXXXXXXXXXXXX" 
       ], 
       "aws:sourceVpce": "vpce-abc82480d" 
      }, 
      "ArnNotLike": { 
       "aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/" 
      } 
     } 
    } 
] 

它只是反转主元素。您可以根据需要类似地使用NotAction和NotResource。你可以完全废除你的条件，只用NotPrincipal来处理它们，这通常比条件更好。

这里是它的资源：https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/

Answer 2

亚马逊S3水桶在默认情况下私人。因此，一个办法是：

• 不要使用桶政策
• 将权限添加到您的IAM用户和IAM角色访问斗

或者：

• 使用存储桶策略授予对IAM用户和IAM角色的访问权

两者都足以满足您的需求。

但是，如果你还偏执地认为有人可能不小心授权访问桶（例如用s3:*和*主），那么你的明确拒绝访问比用户&角色以外的其他人的做法是一个好方法。