【发布时间】:2018-10-22 12:10:03
【问题描述】:
我正在尝试编写存储桶策略,以根据 How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data | AWS Security Blog 使用 AWS 的深度防御方法来拒绝对存储桶和对象的公共访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnSecureCommunications",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ironman111",
"arn:aws:s3:::ironman111/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyPublicReadACL",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read",
"public-read-write",
"authenticated-read"
]
}
}
},
{
"Sid": "DenyPublicReadGrant",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringLike": {
"s3:x-amz-grant-read": [
"*http://acs.amazonaws.com/groups/global/AllUsers*",
"*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
]
}
}
},,
{
"Sid": "DenyPublicListACL",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read",
"public-read-write",
"authenticated-read"
]
}
}
},
{
"Sid": "DenyPublicListGrant",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringLike": {
"s3:x-amz-grant-read": [
"*http://acs.amazonaws.com/groups/global/AllUsers*",
"*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
]
}
}
}
]
}
但是,我没有看到上述政策限制我将存储桶或对象公开或其 ACL 公开读/写。
我后来在政策中添加了以下内容。在这种情况下,资源是私有的,但现在我被限制在账户之间共享 S3 存储桶。
{
"Sid": "DenyAuthenticatedUsersAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "private"
}
}
},
{
"Sid": "DenyAuthenticatedUsersAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "private"
}
}
},
请提出第一项政策的问题。
我无法使用 IAM 策略验证器,因为它是存储桶策略。另外,我无法测试跨账户,因为我没有其他规范 ID。
为什么顺序在资源数组中很重要?
更新:
我已向 IAM 用户添加了以下策略,它仍然允许创建具有公共访问权限的存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:CreateBucket",
"s3:PutBucketAcl"
],
"Resource": "*",
"Condition": {
"StringLike": {
"s3:x-amz-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}
我需要阻止存储桶公开的政策。
【问题讨论】:
-
“建议第一个策略有什么问题”是什么意思?您遇到了什么具体问题?
-
桶默认是私有的,只有在桶中添加了桶策略才能公开访问。如果对象 ACL 设置为公共,也可以将单个对象设为公共。那么,当您说“我需要政策来阻止存储桶公开”时,您的意思是什么?您的意思是将来停止添加存储桶策略吗?
-
感谢您抽出宝贵时间约翰。我试图限制用户将存储桶和对象公开。我认为最好的方法是限制用户对策略和 ACL 进行更改。
-
是的,将这些权限限制为仅管理员会阻止他们公开对象。另见:Amazon S3 bucket policy for public restrictions only
标签: amazon-web-services amazon-s3