我哈瓦的S3桶(“myBucket”),其中只有一个用户具有访问权限,姑且称之为“s3user”。我有连接到该用户的IAM策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myBucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}
我重视这个IAM策略,以用户“s3User”,授予只读“myBucket”访问。到现在为止还挺好。
现在,我添加了第二个政策,但现在不是一个IAM政策,而是S3斗政策,具体如下:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
我预计这一明确否认将拒绝不从指定的来源IP范围的所有请求。但是,它仍然让我从其他IP列出桶的内容。看来,如果桶政策没有效果的。
据this AWS S3 article,当你有多个策略,他们都可以应用,并明确否认有优先于明确的允许,所以我觉得这应该是工作,但事实并非如此。
任何想法,为什么我不能拒绝请求基于SOURCEIP地址的桶?
谢谢!
您应该更新您的Deny
政策以包括在桶本身进行的,而不是它的内容(/*
)操作:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "DenyOutsideIPfromBucket",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": ["arn:aws:s3:::myBucket/*", "arn:aws:s3:::myBucket"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
当然,如果只让用户访问桶都与IAM政策的,你可以简单地添加在原来的IAM政策IpAddress
条件,所以他们只能用水桶从给定的IP地址。这将避免对Deny
政策的必要性。