组织级别共享S3存储桶

常见场景是在日志归档账户中创建S3存储桶，组织范围内所有的账户都允许写入cloudtrail日志到存储桶：

将以下存储桶策略中的BUCKETNAME替换成自己的存储桶名称；

o-organizationID替换成自己的organization的id；

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allowcloudtrairead",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:Get*",
            "Resource": "arn:aws:s3:::BUCKETNAME",
            "Condition": {
                "StringEquals": {
                    "aws:SourceOrgID": "o-organizationID"
                }
            }
        },
        {
            "Sid": "allowcloudtraiwrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:Put*",
            "Resource": "arn:aws:s3:::BUCKETNAME/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceOrgID": "o-organizationID"
                }
            }
        }
    ]
}

上一页跨账户管理VPC 下一页在 AWS 上构建安全的企业机器学习平台

最后更新于7个月前