我正在尝试让我的 s3 存储桶用于存储访问日志。下面是我如何使用 terraform 为其部署所需的策略。
resource "aws_s3_bucket_policy" "bucket_logging_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "logging.s3.amazonaws.com"
},
"Action" : "s3:PutObject",
"Resource" : "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*"
}
]
})
}
然而,在构建时,Sonarqube 在以下几行中抛出错误:
“效果”:“允许”-> 不符合要求的请求应该被拒绝。
"Action" : "s3:PutObject", -> 所有 S3 操作都应受到限制。
尝试了 Sonarqube(如下)和 aws 给出的一般建议,但没有运气。我对此很陌生,所以很难弄清楚。知道政策哪里不符合标准吗?
resource "aws_s3_bucket_policy" "bucket_logging_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = jsonencode({
"Version" = "2012-10-17",
"Statement" = [
{
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${aws_s3_bucket.s3_access_logs_bucket.id}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
})
}
还确保我符合此处给出的条件https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
根据您发送的链接,您的政策中似乎缺少一个条件,即:
resource "aws_s3_bucket_policy" "bucket_logging_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "logging.s3.amazonaws.com"
},
"Action" : "s3:PutObject",
"Resource" : "${aws_s3_bucket.s3_access_logs_bucket.arn}/*",
"Condition": {
"ArnLike": {
"aws:SourceArn": aws_s3_bucket.s3_access_logs_bucket.arn
},
"StringEquals": {
"aws:SourceAccount": "<source account id>"
}
}
}
]
})
}
如您所见,存储桶资源还导出 ARN 属性,因此您不必使用 ID 构造整个 ARN。另外,我总是建议使用数据源在 terraform 中构建任何类型的策略,因为它更容易使用并避免错误:
data "aws_iam_policy_document" "s3_policy" {
statement {
sid = "S3ServerAccessLogsPolicy"
effect = "Allow"
principals {
type = "Service"
identifiers = [
"logging.s3.amazonaws.com"
]
}
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.s3_access_logs_bucket.arn}/*"
]
condition {
variable = "aws:SourceArn"
test = "ArnLike"
values = [
aws_s3_bucket.s3_access_logs_bucket.arn
]
}
condition {
variable = "aws:SourceAccount"
test = "StringEquals"
values = [
<source account id>
]
}
}
}
resource "aws_s3_bucket_policy" "bucket_logging_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = data.aws_iam_policy_document.s3_policy.json
}