1

我正在为各种帐户使用以下存储桶策略将日志推送到位于“ACCOUNT-ID-0”的集中式 S3 存储桶中:

我在 ACCOUNT-ID-0 中有此政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com",
                    "config.amazonaws.com",
                    "delivery.logs.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::BUCKET-NAME/vpc-flow-logs/AWSLogs/{ACCOUNT-ID-01}/*",
                "arn:aws:s3:::BUCKET-NAME/cloudtrail/AWSLogs/{ACCOUNT-ID-02}/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com",
                    "config.amazonaws.com",
                    "delivery.logs.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::BUCKET-NAME"
        }
    ]
}

我想获取位于“arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/abc.yaml”中的文件

我正在尝试使用模板文件 abc.yaml 部署一致性包。我正在从 ACCOUNT-ID-03 运行 aws cli 命令并收到此错误: 调用 PutOrganizationConformancePack 操作时发生错误 (InsufficientPermissionsException):S3 URI 上的读取权限不足

有人可以帮我解决存储桶政策吗?

4

1 回答 1

1

ACCOUNT-ID-0您可以通过以下语句扩展您当前的存储桶策略:

{
    "Sid": "AllowReadsFromOtherAccount",
    "Effect": "Allow",
    "Principal": {
        "AWS": "ACCOUNT-ID-03"
    },
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::BUCKET-NAME/awsconfigconforms-rules/*"
}

请注意,您在ACCOUNT-ID-03需要中使用的 IAM 用户/角色还需要读取 s3 的权限。

于 2021-04-01T07:30:32.533 回答