A similar question on this topic has already been asked here, but none of the solutions on that post worked for me and it is quite old, which led me to believe that maybe something has changed in AWS that warranted asking a new question.
关于这个主题的类似问题已经在这里被提出,但是该帖子上的解决方案都没有为我工作,而且它已经很老了,这让我相信AWS中的某些内容可能会发生变化,因此需要提出新问题。
Basically, I am using a CloudFormation template to define an IAM group with an inline policy so that its users can only access a single S3 bucket. Based on the linked question, I arrived at the following template (the original posts used JSON but I'm using YAML):
基本上,我使用CloudFormation模板来定义具有内联策略的IAM组,以便其用户只能访问单个S3存储桶。基于链接的问题,我到达了以下模板(原始帖子使用了JSON,但我使用的是YAML):
BucketAccessGroup:
Type: AWS::IAM::Group
Properties:
GroupName: my-bucket-admins
Path: /my-bucket-admins/
Policies:
- PolicyName: MyBucketAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: s3:*
Resource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name/*
-
Effect: Allow
Action: s3:ListAllMyBuckets
Resource: "*"
Unfortunately, an IAM user in this group is allowed not only to list every other bucket (required for Console access), but also to open, modify, and delete them, and their objects! Obviously this is not desired behavior! Has something changed with AWS that makes this policy no longer valid? Does the policy not work the same in a CloudFormation template as it does on its own? Any help would be appreciated!
不幸的是,该组中的IAM用户不仅可以列出所有其他存储桶(控制台访问所需),还可以打开,修改和删除它们及其对象!显然这不是理想的行为! AWS发生了哪些变化导致此政策不再有效?该策略在CloudFormation模板中的工作方式与它自身的工作方式不同吗?任何帮助,将不胜感激!
EDIT:
编辑:
As stated in @wjordan's answer, it turns out that another policy was already giving the group full S3 permissions. I was adding the AWSLambdaFullAccess managed policy, which unexpectedly had an allow s3:*
line (I left out of the above code b/c I didn't think it was relevant!). Given the need to coexist with that policy, here is my updated CF template which is working as intended, and is also a bit more secure:
正如@ wjordan的回答所述,事实证明另一个策略已经给了该组完全S3权限。我正在添加AWSLambdaFullAccess托管策略,它意外地有一个允许s3:*行(我从上面的代码中省略了b / c我认为它不相关!)。鉴于需要与该策略共存,这是我更新的CF模板,它按预期工作,并且更安全一点:
BucketAccessGroup:
Type: AWS::IAM::Group
Properties:
GroupName: my-bucket-admins
ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AWSLambdaFullAccess" ]
Policies:
- PolicyName: MyBucketAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- # Prevent changing permissions in any way on the desired bucket
Effect: Deny
Action:
- s3:DeleteBucket
- s3:DeleteBucketPolicy
- s3:PutBucketPolicy
- s3:PutBucketAcl
Resource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name
- # Prevent all S3 actions except listing buckets, on everything except the desired bucket (AWSLambdaFullAccess already allows s3:*)
Effect: Deny
NotAction: s3:ListAllMyBuckets
NotResource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name
1 个解决方案
#1
1
The policy provided looks correct and not out of date to me. Are you sure that the IAM user in question doesn't have any additional groups/policies applied beyond the AWS::IAM::Group
specified that would be granting them the unexpected permissions?
提供的政策看起来是正确的,并没有过时。您确定有问题的IAM用户没有在指定的AWS :: IAM :: Group之外应用任何其他组/策略来授予他们意外的权限吗?
One way to confirm this would be to create a new IAM user from scratch and attempt to reproduce the issue there.
确认这一点的一种方法是从头开始创建一个新的IAM用户并尝试在那里重现问题。
#1
1
The policy provided looks correct and not out of date to me. Are you sure that the IAM user in question doesn't have any additional groups/policies applied beyond the AWS::IAM::Group
specified that would be granting them the unexpected permissions?
提供的政策看起来是正确的,并没有过时。您确定有问题的IAM用户没有在指定的AWS :: IAM :: Group之外应用任何其他组/策略来授予他们意外的权限吗?
One way to confirm this would be to create a new IAM user from scratch and attempt to reproduce the issue there.
确认这一点的一种方法是从头开始创建一个新的IAM用户并尝试在那里重现问题。