我有一个只有用户才能访问的S3存储桶("myBucket"(,我们称之为"s3user"。我有一个附加到此用户的 IAM 策略,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myBucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}
我将此 IAM 策略附加到用户"s3User",授予对"myBucket"的只读访问权限。目前为止,一切都好。
现在,我添加了第二个策略,但现在不是 IAM 策略,而是 S3 存储桶策略,如下所示:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
我预计此显式拒绝将拒绝所有不是来自指定源 IP 范围的请求。但是,它仍然让我列出来自其他 IP 的存储桶内容。似乎存储桶策略根本没有效果。
根据这篇 AWS S3 文章,当您有多个策略时,它们都会应用,并且显式拒绝优先于显式允许,所以我认为这应该有效,但事实并非如此。
为什么我无法根据源IP地址拒绝对存储桶的请求的任何想法?
谢谢!
您应该更新Deny策略以包含对存储桶本身而不是其内容执行的操作 ( /* (:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "DenyOutsideIPfromBucket",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": ["arn:aws:s3:::myBucket/*", "arn:aws:s3:::myBucket"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
当然,如果唯一有权访问存储桶的用户是具有 IAM 策略的用户,您只需在原始 IAM 策略上添加IpAddress条件,以便他们只能使用给定 IP 地址集中的存储桶。这将避免制定Deny政策的需要。