2

这是来自AWS s3 存储桶策略无效组委托人的后续但独立的问题

我有 2 个组:开发人员和协作者。开发人员具有预配置的“PowerUser”组策略。协作者具有以下组策略

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::bucket/*.txt"
      }           
   ]
}

存储桶具有以下策略来拒绝上传未加密的 .txt 文件:

{
    "Version": "2008-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*.txt",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}

我期望的行为:“开发人员”组可以放置任何类型的文件,“.txt”文件必须加密,包括制作目录。“协作者”组只能放置、获取和删除“.txt”文件,不能创建目录。

我得到的行为与“开发人员”的预期一致。“协作者”的行为与开发人员相同,他们可以放置任何文件,而他们应该只能放置“.txt”文件。

我究竟做错了什么?

4

2 回答 2

1

经过大量试验和错误后,我尝试在存储桶级别执行大部分权限,但遇到了一些意外行为,不得不将其拆分为组和存储桶策略。这是我对“合作者”的组策略:

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject"            
         ],
         "Resource":"arn:aws:s3:::bucket/*"
      }

   ]
}

这是只允许“协作者”组中的四个用户上传和删除“.txt”文件的存储桶策略:

{
    "Version": "2008-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*.txt",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "CelOnly",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/collaborator1",
                    "arn:aws:iam::111122223333:user/collaborator2",
                    "arn:aws:iam::111122223333:user/collaborator3",
                    "arn:aws:iam::111122223333:user/collaborator4"
                ]
            },
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "NotResource": "arn:aws:s3:::bucket/*.txt"
        }
    ]
}

在存储桶策略中包含 s3:GetObject 不允许下载“.txt”文件,这就是我不得不将其移至组策略的原因。我仍然不确定为什么要进行如此多的反复试验,而我的其他一些解决方案(例如原始问题中的解决方案)不起作用。但至少这是我的问题的答案。

于 2013-06-13T16:07:45.367 回答
0

如果您确定此策略仅附加到协作者组,则不应影响开发者。

从您的相关问题来看,您似乎最初尝试了存储桶策略。您是否仍然应用了将整个存储桶限制为 *.txt 文件的存储桶策略?尝试删除任何现有的存储桶策略。

于 2013-06-12T19:57:11.593 回答