跨账号访问S3存储桶
假设你有一个存储桶arn:aws:s3:::CT_S3_BUCKET_NAME,允许PARTNER_AWS_ACCOUNT_ID的root账号访问,则修改存储桶的bucket policy,替换CT_S3_BUCKET_NAME 成你的存储桶名称,PARTNER_AWS_ACCOUNT_ID 为你的合作伙伴的AWS账号。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::PARTNER_AWS_ACCOUNT_ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject*",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::CT_S3_BUCKET_NAME",
"arn:aws:s3:::CT_S3_BUCKET_NAME/*"
]
}
]
}
最终你的存储桶策略可能类似于下面的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::dp-ctlog-Your_Account_Id"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::dp-ctlog-Your_Account_Id/AWSLogs/Your_Account_Id/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "CrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::PARTNER_AWS_ACCOUNT_ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutObjectAcl",
"s3:GetObject*",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::dp-ctlog-Your_Account_Id",
"arn:aws:s3:::dp-ctlog-Your_Account_Id/*"
]
}
]
}
最后更新于