aws-cloudformation - 创建仅限 S3 的用户

Question

我正在尝试创建一个仅限 S3 的用户，根据定义，该用户无法访问任何其他资源。用户可以从S3上传和下载文件。我创建了一个基本模板，可以在此处找到...

https://github.com/shantanuo/aws-cloudformation-templates/blob/master/aws/services/IAM/IAM_Users_Groups_and_Policies.yaml

但它允许访问 cloudformation，这在我的情况下是不必要的。我已阅读以下页面，但不知道如何将它们包含在我的模板中。

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

https://docs.aws.amazon.com/AWSCloudForation/latest/UserGuide/aws-properties-iam-group.html

创建仅 S3 用户所需的最低参数是什么？

---

更新:这是我尝试过的 cloudformation 代码以及收到的错误:

错误消息:无法创建以下资源:[CFNRole、CFNUser]。 。用户请求回滚。

模板:

Parameters:
  NewUsername:
    NoEcho: 'false'
    Type: String
    Description: New account username
    MinLength: '1'
    MaxLength: '41'
    ConstraintDescription: the username must be between 1 and 41 characters
  Password:
    NoEcho: 'true'
    Type: String
    Description: New account password
    MinLength: '1'
    MaxLength: '41'
    ConstraintDescription: the password must be between 1 and 41 characters

Resources:
  CFNUser:
    Type: AWS::IAM::User
    Properties:
      LoginProfile:
        Password: !Ref 'Password'
      UserName : !Ref 'NewUsername'
  CFNRole:
    Type: AWS::IAM::Role
    Properties :
      PermissionsBoundary : arn:aws:iam::aws:policy/AmazonS3FullAccess
      RoleName : 'myPermissionBoundary'
  CFNKeys:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'CFNUser'

Outputs:
  AccessKey:
    Value: !Ref 'CFNKeys'
    Description: AWSAccessKeyId of new user
  SecretKey:
    Value: !GetAtt [CFNKeys, SecretAccessKey]
    Description: AWSSecretAccessKey of new user

我已检查此链接，但不确定如何将该策略包含在我当前的模板中。 https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/

Answer 1

您在模板中明确授予新用户对 Cloudformation 的访问权限。您有此部分:

  CFNUserPolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CFNUsers
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action: ['cloudformation:Describe*', 'cloudformation:List*', 'cloudformation:Get*']
          Resource: '*'
      Groups: [!Ref 'CFNUserGroup']
  CFNAdminPolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CFNAdmins
      PolicyDocument:
        Statement:
        - Effect: Allow
          Action: cloudformation:*
          Resource: '*'
Groups: [!Ref 'CFNAdminGroup']

其中您的允许语句专门提供对 Cloudformation 的访问。如果您尝试授予对 s3 的访问权限，那么为什么要授予对 Cloudformation 的访问权限？

如果您希望用户只能访问 s3，并进一步访问一个特定的 s3 存储桶，那么您的策略将如下所示(请注意，这是在 json 中):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET",
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

如果您希望您的用户有权访问所有存储桶，那么您的策略将如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1557048549844",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

查看此来源:https://objectivefs.com/howto/how-to-restrict-s3-bucket-policy-to-only-one-aws-s3-bucket