2

I have one s3 bucket in one AWS account say ACCID1. I want to allow root and one particular user USER1 to have full access on it. From another account, ACCID2, I have IAM role which I want to attach to EC2 instance and allow access from that IAM role only. Role is backup-full-access(read,write and delete). I have created following bucket policy but I can't access the bucket through EC2 instance launched with above IAM role (in ACCID2). I am able to use it from EC2 instance as USER1 from ACCID1 and perform list, create and delete.

{  
   "Version":"2012-10-17",
   "Id":"BackupBucketPolicy",
   "Statement":[  
      {  
         "Sid":"DenyAllOther",
         "Effect":"Deny",
         "NotPrincipal":{  
            "AWS":[  
               "arn:aws:iam::ACCID1:user/USER1",
               "arn:aws:iam::ACCID1:root",
               "arn:aws:iam::ACCID2:role/backup-full-access"
            ]
         },
         "Action":"s3:*",
         "Resource":[  
            "arn:aws:s3:::test-nr-6",
            "arn:aws:s3:::test-nr-6/*"
         ]
      },
      {  
         "Sid":"DevAccountRootFullAccess",
         "Effect":"Allow",
         "Principal":{  
            "AWS":[  
               "arn:aws:iam::ACCID1:user/USER1",
               "arn:aws:iam::ACCID1:root"
            ]
         },
         "Action":"s3:*",
         "Resource":[  
            "arn:aws:s3:::test-nr-6",
            "arn:aws:s3:::test-nr-6/*"
         ]
      },
      {  
         "Sid":"GraphBackupReadWriteDeleteAccess",
         "Effect":"Allow",
         "Principal":{  
            "AWS":"arn:aws:iam::ACCID2:role/backup-full-access"
         },
         "Action":[  
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
         ],
         "Resource":[  
            "arn:aws:s3:::test-nr-6",
            "arn:aws:s3:::test-nr-6/*"
         ]
      }
   ]
}

The IAM role backup-full-access has policy:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"Stmt2",
         "Effect":"Allow",
         "Action":[  
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
         ],
         "Resource":[  
            "arn:aws:s3:::test-nr-6",
            "arn:aws:s3:::test-nr-6/*"
         ]
      }
   ]
}

I can't figure out what is going wrong here. Any Help would be appreciated.

4

1 回答 1

3

首先,您不需要拒绝所有其他策略,因为 S3 存储桶权限是默认拒绝的。

其次,您需要在创建角色时将角色的类型设置backup-full-accessRole for Cross-Account Access

最后,你的角色策略应该写成:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
       ],
      "Resource": "arn:aws:s3:::test-nr-6"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::test-nr-6/*"
    }
  ]
}

来源:使用 IAM 角色委派跨 AWS 账户的访问

于 2017-01-13T16:58:55.057 回答