Iam使用以下针对各种帐户的bucket策略来推送位于";账户-ID-0":
我在ACCOUNT-ID-0 中有此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/vpc-flow-logs/AWSLogs/{ACCOUNT-ID-01}/*",
"arn:aws:s3:::BUCKET-NAME/cloudtrail/AWSLogs/{ACCOUNT-ID-02}/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"delivery.logs.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::BUCKET-NAME"
}
]
}我想得到位于";arn:aws:s3:::BUCKET-NAME/awsconfigcompliants rules/abc.yaml">
我正在尝试使用模板文件abc.yaml部署一致性包。我正在从ACCOUNT-ID-03运行aws-cli命令,并收到以下错误:调用PutOrganizationConformancePack操作时发生错误(InsufficientPermissionsException(:S3 URI上的读取权限不足
有人能帮我处理这里的水桶政策吗?
您可以通过以下语句在ACCOUNT-ID-0中扩展当前bucket策略:
{
"Sid": "AllowReadsFromOtherAccount",
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT-ID-03"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/*"
}
请注意,您在ACCOUNT-ID-03中使用的IAM用户/角色也需要读取s3的权限。