我在账户a中有一个AWS S3存储桶,这个存储桶是由AWS Control Tower创建的。用于从我的组织中的所有其他帐户收集日志
我试图理解类似的桶政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
现在,我组织中的所有其他帐户都可以在S3中转储cloudtrail日志。但我没有得到一件事,我没有指定任何特定或个人的账号,但仍然有其他账户可以在这个桶里写内容,虽然我确实看到了可以转储的提到相关服务名称的主体,但应该,不是只为这个帐户本身吗?
让我们逐一分析规则:
第一条规则只是说,没有SSL就不可能进行访问,如果存在SSL层,它什么也不做:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1",
"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
接下来的两个操作只允许读取:
{
"Sid": "AWSBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1"
},
因此,唯一允许写入的操作是:
{
"Sid": "AWSBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
}
]
}
它说:只要你是以下两个AWS服务之一,你就可以把对象放在/o-124/AWSLog下:Config或Cloudtrail。
很明显,如果知道bucket名称和组织ID可以说服Config或Cloudtrail使用该bucket,那么除了这些服务内部的一些内部保护之外,我看不出有什么能阻止我这样做。
基于此文件:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html
似乎为了允许帐户111111111111写入该bucket,您应该使用以下ARN模式:"arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/111111111111/*",
因此,尽管@izayoi提供的答案没有提供任何解释,但它仍然是正确的。Cloudtrail服务应该保证它将始终在日志中使用该帐户id,这样您就可以通过列出所有帐号来缩小访问范围。当然,每个新帐户都必须更新它。
结论:是的,知道bucket名称和您的组织ID应该允许世界上的每个AWS帐户根据当前政策使用您的bucket进行Cloudtrail日志记录。。。有趣的我可能会列出你的账号。
"资源":"arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*";
*"启用所有帐号。