gpt4 book ai didi

amazon-web-services - S3 存储桶策略限制对单个文件夹的访问

转载 作者:行者123 更新时间:2023-12-03 07:30:47 24 4
gpt4 key购买 nike

我有一个 S3 存储桶正在被多个 Lambda 访问。我想限制对单个文件夹的访问,以便只有一个 Lambda 可以访问它。

我有以下 Cloud Formation 模板来创建所有资源,但我无法获得正确的存储桶策略条件。当我的 Lambda 执行角色被指定为异常(exception)时,它会限制对该文件夹的访问,但不会授予对我的 Lambda 的访问权限。为什么下面的模板不起作用?

  ExampleBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${AWS::StackName}-${AWS::AccountId}-example-bucket'

ExampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ExampleBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:*'
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/*
Principal: '*'
Condition:
ArnNotEquals:
aws:SourceArn:
- !GetAtt LambdaExecutionRole.Arn

LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${AWS::StackName}-handler
CodeUri: ./src
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs12.x

LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
Policies:
- PolicyName: !Sub ${AWS::StackName}
PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}
- !Sub arn:aws:s3:::${ExampleBucket}/*
- Action:
- lambda:InvokeFunction
Effect: Allow
Resource: '*'

我收到以下错误:“函数中的 StoreDB 错误:putStoreObject,访问 key :示例文件夹/示例文件,AWS S3 消息:访问被拒绝”

最佳答案

根据OP的评论,从aws:SourceArn更改为aws:PrincipalArn有效。

关于amazon-web-services - S3 存储桶策略限制对单个文件夹的访问,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68444052/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com