我最近在使用代码构建时遇到IAM策略问题。我正在努力理解以下两种策略之间的区别,并检查使用版本2而不是版本1是否有任何安全隐患。
版本1不起作用,所以我决定使用版本2。但是为什么版本2有效,为什么版本1不起作用呢?
版本1只提供对CodePipeline资源的访问权限,并允许读取和写入S3 bucket对象。
然而,版本2允许访问所有S3存储桶,不是吗?这会被认为是一个安全漏洞吗?
版本1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}
版本2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
}
]
}
我已经通过向特定的S3 Bucket提供受限访问来复制该场景。
块1:允许所需的Amazon S3控制台权限此处我已授予CodePipeline列出AWS帐户中的所有bucket。
块2:允许在根文件夹中列出对象此处我的S3 Bucket名称为"aws-codestar-us-est-1-493865049436-larvel-test-pipe">
但我感到惊讶的是,当我从同一个管道控制台遵循从创建CodePipeline到创建Build的步骤时,我得到了与您的版本1相同的策略,并且它也执行了。然而,作为下一步,我在S3中为一个bucket提供了一个特定的权限,如下策略所示,它已经起作用了。因此,在您的第二版中,您可以将权限限制为仅特定于以下示例策略中所述的bucket,而不是将所有权限授予您的资源Resource":"*
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-east-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}