我在一个 AWS 账户中有一个 s3 存储桶,比如 ACCID1。我想允许 root 和一个特定用户 USER1 对其具有完全访问权限。从另一个账户 ACCID2,我有 IAM 角色,我想将其附加到 EC2 实例,并仅允许从该 IAM 角色进行访问。角色是备份完全访问权限(读、写和删除)。我已创建以下存储桶策略,但我无法通过使用上述 IAM 角色(在 ACCID2 中)启动的 EC2 实例访问存储桶。我能够从EC2实例中将其用作ACCID1中的USER1并执行列表,创建和删除。
{
"Version":"2012-10-17",
"Id":"BackupBucketPolicy",
"Statement":[
{
"Sid":"DenyAllOther",
"Effect":"Deny",
"NotPrincipal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root",
"arn:aws:iam::ACCID2:role/backup-full-access"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"DevAccountRootFullAccess",
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::ACCID1:user/USER1",
"arn:aws:iam::ACCID1:root"
]
},
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
},
{
"Sid":"GraphBackupReadWriteDeleteAccess",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::ACCID2:role/backup-full-access"
},
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
IAM 角色备份完全访问权限具有以下策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt2",
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":[
"arn:aws:s3:::test-nr-6",
"arn:aws:s3:::test-nr-6/*"
]
}
]
}
我不知道这里出了什么问题。任何帮助将不胜感激。
首先,您不需要拒绝所有其他策略,因为默认情况下 S3 存储桶权限是拒绝的。
其次,您需要在创建backup-full-access角色时将其类型设置为跨账户访问的角色。
最后,您的角色策略应编写为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::test-nr-6"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::test-nr-6/*"
}
]
}
来源:使用 IAM 角色跨 AWS 账户委派访问权限