我真的在為此苦苦掙扎,AWS 官方檔案根本沒有幫助!
我設定了一個 S3 存盤桶,它允許從幾個指定的 IP 地址進行公共訪問。這是有效的自定義策略:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1111111111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
]
}
現在,不是只允許上述 2 個 ip 地址訪問存盤桶中的資源,我還希望我的 EC2 實體訪問它。
我遵循了這個檔案:https : //aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
我遵循了確切的步驟。我創建了一個新的 IAM 角色,(arn:“arn:aws:iam::1223123156:role/EC2-to-S3”)
我還將角色附加到我的 EC2 實體。
但是在第 6 步中:
6. In your bucket policy, edit or remove any Effect: Deny
statements that are denying the IAM instance profile access to
your bucket. For instructions on editing policies,
see Editing IAM policies.
我該怎么做?它引導我到另一個關于編輯 IAM 策略的檔案,但它沒有幫助!!!
如何洗掉任何拒絕 IAM 實體組態檔訪問我的存盤桶的“Effect: Deny”陳述句?
我應該使用什么關鍵字?
這是我嘗試過的:
{
"Version": "2012-10-17",
"Id": "Policy1111111111",
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
{
"Sid": "Stmt1111112222",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1639460338435",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
}
}
]
}
這不起作用。我仍然遇到“拒絕訪問”錯誤。
檔案可以更具體一點嗎?為什么使用 aws docs 完成這樣一項基本任務如此困難?
這終于奏效了:
{
"Version": "2012-10-17",
"Id": "Policy1111111",
"Statement": [
{
"Sid": "Stmt11111",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
}
}
},
{
"Sid": "Stmt1222222222",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234556:role/EC2-to-S3"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myapp-local-test/*"
}
]
}
所以訣竅是完全洗掉拒絕陳述句,因為默認情況下一切都被拒絕訪問。
我之前的編輯:
"Statement": [
{
"Sid": "Stmt111111111",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myapp-local-test/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.122.123.111",
"121.217.73.153"
]
},
"StringNotEquals": {
"aws:SourceArn": "arn:aws:iam::1223123156:role/EC2-to-S3"
}
},
該StringNotEquals部件不會洗掉 iam 角色的默認拒絕。
uj5u.com熱心網友回復:
如果可能,您應該避免使用Deny陳述句,因為它們會覆寫任何Allow陳述句。
您的第一個存盤桶策略是這樣說的:
Deny如果請求不是來自給定的 IP 地址,則訪問存盤桶Allow如果請求來自給定的 IP 地址,則訪問存盤桶
不幸的是,Deny它將禁止從 EC2 實體訪問,因為它不是列出的 IP 地址之一。
無需使用Deny,只需Allow在需要時授予訪問權限。默認情況下拒絕訪問 S3,因此用戶只有在有Allow授予訪問權限的策略時才能獲得訪問權限。
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/380785.html