您可以使用标签授予对S3存储桶的访问权限吗?

问题描述 投票:0回答:2

我只是尝试将标签添加到某些存储桶中,然后创建了一个内联IAM角色策略,该策略可以使该角色访问S3存储桶,但无法正常工作。我同时尝试了iam:ResourceTag/tagNames3:ResourceTag/tagName作为条件,但是都没有用。

看起来一切都很好,我开始认为AWS可能尚未针对S3实施此功能。是这样吗我尝试查看文档,但实际上我没有发现与使用S3的标签有关的任何信息。

例如,角色HumanResources应该对所有标记有HRRecruitment等的存储桶都具有,但是没有其他存储桶。

amazon-web-services security amazon-s3 amazon-iam
2个回答
1
投票

在查看Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management时,似乎无法在IAM策略中指定存储桶标签。

一种选择是在存储桶名称中使用通配符。例如,您可以授予访问权限:

acme-hr-1

您可以基于存储区名称acme-hr-*授予权限。


-1
投票

是,可以,但是您需要在每个S3资源策略上进行操作。

这里是一个S3策略,仅将IAM用户和角色的Tag部门设置为“ hr”,才授予对存储桶的访问权限。

为了确保HR员工只能访问这些存储桶,您需要从其IAM用户/角色访问策略中删除所有S3访问。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyObjectOthers",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:DeleteObject*",
        "s3:PutObject*",
        "s3:GetObject*",
        "s3:RestoreObject*"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalTag/department": [
            "hr"
          ]
        }
      }
    },
    {
      "Sid": "DenyListOthers",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:ListBucket*"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalTag/department": [
            "hr"
          ]
        }
      }
    },
    {
      "Sid": "AllowObject",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
      },
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:DeleteObject*",
        "s3:PutObject*",
        "s3:GetObject*",
        "s3:RestoreObject*"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalTag/department": [
            "hr"
          ]
        }
      }
    },
    {
      "Sid": "AllowList",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
      },
      "Action": [
        "s3:ListBucket*"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalTag/department": [
            "hr"
          ]
        }
      }
    }
  ]
}

先前的错误答案发件人:IAM Policy Elements: Variables and Tags - AWS Identity and Access Management

    "Resource": ["arn:aws:s3:::bucket/${aws:PrincipalTag/department}"]

还请确保在2012-10-17处包含版本。

© www.soinside.com 2019 - 2024. All rights reserved.