S3存储桶策略

拷贝下面的存储桶策略,替换<BUCKET_NAME> 为你自己的存储桶名称,替换<VPC_ENDPOINT_ID> 为你的VPC终端ID。

为请求方添加标签network-perimeter-exception:true则可以不受限制访问存储桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "Access-to-specific-VPCE-only",
            "Principal": "*",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:DeleteObject*"
            ],
            "Effect": "Deny",
            "Resource": "arn:aws:s3:::<BUCKET_NAME>/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "<VPC_ENDPOINT_ID>",
                    "aws:PrincipalTag/network-perimeter-exception": "true",
                    "aws:PrincipalAccount": [
                        "<load-balancing-account-id>",
                        "<third-party-account-a>",
                        "<third-party-account-b>"
                    ]
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false",
                    "aws:ViaAWSService": "false"
                },
                "ArnNotLikeIfExists": {
                    "aws:PrincipalArn": "arn:aws:iam::<my-account-id>:role/aws-service-role/*"
                },
                "StringEquals": {
                    "aws:PrincipalTag/data-perimeter-include": "true"
                }
            }
        }
    ]
}

完整的架构设计参见:防止 IAM 角色从 VPC 外部访问S3存储桶

Github-https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_based_policies/s3_bucket_policy.json

上一页IAM Role Trust Policy下一页仅限OU范围内共享存储桶

最后更新于