gpt4 book ai didi

amazon-web-services - Terraform AWS S3 - 拒绝除特定用户以外的所有人

转载 作者:行者123 更新时间:2023-12-05 01:52:03 25 4
gpt4 key购买 nike

我有一个桶,我需要限制特定用户,我写了下面的脚本,但它似乎仍然允许所有用户对该桶进行操作。

resource "aws_s3_bucket" "vulnerability-scans" {
bucket = "vulnerability-scans"
}

resource "aws_s3_bucket_policy" "vulnerability-scans" {
bucket = aws_s3_bucket.vulnerability-scans.id
policy = data.aws_iam_policy_document.vulnerability-scans.json
}

data "aws_iam_policy_document" "vulnerability-scans" {
statement {
principals {
type = "AWS"
identifiers = [
aws_iam_user.circleci.arn,
]
}

actions = [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
]

resources = [
aws_s3_bucket.vulnerability-scans.arn,
"${aws_s3_bucket.vulnerability-scans.arn}/*",
]
}
}

最佳答案

我认为您必须考虑到其他用户可能在他们的策略中有 Allow,因此这里的方法应该是拒绝任何不是您想要的用户的用户访问。在 AWS 文档 [1] 中有详细的解释,但为了简洁起见,我认为 terraform 代码应该如下所示:

data "aws_iam_policy_document" "vulnerability-scans" {
statement {
sid = "AllExceptUser"
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}

actions = [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
]

resources = [
aws_s3_bucket.vulnerability-scans.arn,
"${aws_s3_bucket.vulnerability-scans.arn}/*",
]

condition {
test = "StringNotLike"
variable = "aws:userId"
values = [
aws_iam_user.circleci.arn
]
}
}
}

尽管引用 URL 说它是针对 IAM 角色的,但这同样适用于用户。 StringNotLike 条件运算符在 [2] 中有更详细的解释。


[1] https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String

关于amazon-web-services - Terraform AWS S3 - 拒绝除特定用户以外的所有人,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71796584/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com