Amazon web services 如何限制IAM用户仅从VPN连接访问S3存储桶
正如问题所说,我们只需要允许用户通过特定的公共ip访问S3 bucket,为此,我们对用户应用了IAM角色,如下所示。不过,我们无法从S3浏览器扩展访问该bucket内容Amazon web services 如何限制IAM用户仅从VPN连接访问S3存储桶,amazon-web-services,amazon-s3,amazon-iam,Amazon Web Services,Amazon S3,Amazon Iam,正如问题所说,我们只需要允许用户通过特定的公共ip访问S3 bucket,为此,我们对用户应用了IAM角色,如下所示。不过,我们无法从S3浏览器扩展访问该bucket内容 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::marketplace-logs",
"arn:aws:s3:::marketplace-logs/*",
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "13.XXX.XXX.XXX/32"
}
}
}
]
}
请帮助实现这一目标
==================================更新=========================
根据@Dennistraub的建议,我们修改了策略,并在所需的bucket上配置了cloudtrail数据事件。详情如下
非工作场景
修改后的IAM策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::marketplace-logs",
"arn:aws:s3:::marketplace-logs/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "13.XXX.XXX.XXX/32"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::marketplace-logs",
"arn:aws:s3:::marketplace-logs/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "182.69.XXX.XXX/32"
}
}
}
]
}
使用VPN连接的非工作场景的云跟踪事件日志如下
{
"eventVersion": "1.07",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAZSCHXUU7OI4HIXXXX",
"arn": "arn:aws:iam::65728044XXXX:user/s3_log_user",
"accountId": "65728044XXXX",
"accessKeyId": "AKIAZSCHXUU7P5Z5XXXX",
"userName": "s3_log_user"
},
"eventTime": "2020-05-26T05:37:44Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListObjects",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "17.225.XXX.XXX",
"userAgent": "[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
"list-type": "2",
"bucketName": "marketplace-logs",
"encoding-type": "url",
"max-keys": "100",
"prefix": "",
"delimiter": "/",
"Host": "marketplace-logs.s3.ap-southeast-1.amazonaws.com"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "TJg0h0KwFF3tggz6p4wit8Gsw+pMhZdTn2H4IMp/q1CY057Jdp3xzPjINIkwR1e1VOcCGt9XXXXX",
"bytesTransferredOut": 243
},
"requestID": "F1D6946A8144XXXX",
"eventID": "fb2ecf2a-df7c-476b-99de-631d486cXXXX",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARNPrefix": "arn:aws:s3:::marketplace-logs/"
},
{
"accountId": "65728044XXXX",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::marketplace-logs"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "65728044XXXX",
"vpcEndpointId": "vpce-7d95XXXX",
"eventCategory": "Data"
}
{
"eventVersion": "1.07",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAZSCHXUU7OI4HIXXXX",
"arn": "arn:aws:iam::65728044XXXX:user/s3_log_user",
"accountId": "65728044XXXX",
"accessKeyId": "AKIAZSCHXUU7P5Z5XXXX",
"userName": "s3_log_user"
},
"eventTime": "2020-05-26T06:37:27Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListObjects",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "182.69.XXX.XXX",
"userAgent": "[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36]",
"requestParameters": {
"list-type": "2",
"bucketName": "marketplace-logs",
"encoding-type": "url",
"max-keys": "100",
"prefix": "",
"delimiter": "/",
"Host": "marketplace-logs.s3.ap-southeast-1.amazonaws.com"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "CbL2Rxnc1vji9VNOpySFifRpYI8S2Try7/J71wAGV5WZ3HGEv9UANDgHpV3TMFGWKOqQ72WiXXXX",
"bytesTransferredOut": 716
},
"requestID": "6B5AA70ED67EXXXX",
"eventID": "654eb15e-bd64-4b4d-97b7-362f1f21XXXX",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARNPrefix": "arn:aws:s3:::marketplace-logs/"
},
{
"accountId": "65728044XXXX",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::marketplace-logs"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "65728044XXXX",
"eventCategory": "Data"
}
工作场景
修改后的IAM策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::marketplace-logs",
"arn:aws:s3:::marketplace-logs/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "13.XXX.XXX.XXX/32"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::marketplace-logs",
"arn:aws:s3:::marketplace-logs/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "182.69.XXX.XXX/32"
}
}
}
]
}
工作场景无VPN连接的云跟踪事件日志如下
{
"eventVersion": "1.07",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAZSCHXUU7OI4HIXXXX",
"arn": "arn:aws:iam::65728044XXXX:user/s3_log_user",
"accountId": "65728044XXXX",
"accessKeyId": "AKIAZSCHXUU7P5Z5XXXX",
"userName": "s3_log_user"
},
"eventTime": "2020-05-26T05:37:44Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListObjects",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "17.225.XXX.XXX",
"userAgent": "[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36]",
"errorCode": "AccessDenied",
"errorMessage": "Access Denied",
"requestParameters": {
"list-type": "2",
"bucketName": "marketplace-logs",
"encoding-type": "url",
"max-keys": "100",
"prefix": "",
"delimiter": "/",
"Host": "marketplace-logs.s3.ap-southeast-1.amazonaws.com"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "TJg0h0KwFF3tggz6p4wit8Gsw+pMhZdTn2H4IMp/q1CY057Jdp3xzPjINIkwR1e1VOcCGt9XXXXX",
"bytesTransferredOut": 243
},
"requestID": "F1D6946A8144XXXX",
"eventID": "fb2ecf2a-df7c-476b-99de-631d486cXXXX",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARNPrefix": "arn:aws:s3:::marketplace-logs/"
},
{
"accountId": "65728044XXXX",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::marketplace-logs"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "65728044XXXX",
"vpcEndpointId": "vpce-7d95XXXX",
"eventCategory": "Data"
}
{
"eventVersion": "1.07",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAZSCHXUU7OI4HIXXXX",
"arn": "arn:aws:iam::65728044XXXX:user/s3_log_user",
"accountId": "65728044XXXX",
"accessKeyId": "AKIAZSCHXUU7P5Z5XXXX",
"userName": "s3_log_user"
},
"eventTime": "2020-05-26T06:37:27Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListObjects",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "182.69.XXX.XXX",
"userAgent": "[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36]",
"requestParameters": {
"list-type": "2",
"bucketName": "marketplace-logs",
"encoding-type": "url",
"max-keys": "100",
"prefix": "",
"delimiter": "/",
"Host": "marketplace-logs.s3.ap-southeast-1.amazonaws.com"
},
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "CbL2Rxnc1vji9VNOpySFifRpYI8S2Try7/J71wAGV5WZ3HGEv9UANDgHpV3TMFGWKOqQ72WiXXXX",
"bytesTransferredOut": 716
},
"requestID": "6B5AA70ED67EXXXX",
"eventID": "654eb15e-bd64-4b4d-97b7-362f1f21XXXX",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARNPrefix": "arn:aws:s3:::marketplace-logs/"
},
{
"accountId": "65728044XXXX",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::marketplace-logs"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "65728044XXXX",
"eventCategory": "Data"
}
请帮助使其正常工作?看起来浏览器扩展需要更多权限。AWS CloudTrail日志表明浏览器正试图调用
s3:ListObjects
。将此操作添加到策略中,然后重试。最后,在AWS支持的帮助下,我们能够仅通过VPN连接限制S3存储桶访问。实际上,VPN连接总是在属于客户帐户的AWS VPC处终止。因此,以下是需要替换的条件,以便对仅从VPC端点或VPC生成的请求进行此受限访问。要做到这一点,我们可以使用
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-013cab36cf79XXXXX"
}
}
或
要确认s3浏览器正在使用具有获取对象权限的IAM凭据?是。。。这是一个chrome扩展,需要访问密钥/密钥/存储桶名称/区域名称。请澄清。因此,您为某些浏览器扩展创建了一个IAM用户。您已将机密IAM密钥加载到扩展。用户已附加此策略。如果IP错误,该策略将予以否认。那么允许访问的策略呢?如果您只有“拒绝”,IAM用户将如何获得访问存储桶的权限?只有在IAM策略中(直接或间接)附加到用户的特定“允许”语句中,此操作才有效。AWS IAM含蓄地否认一切。您可以显式地允许某些操作。显式拒绝会覆盖任何定罪允许,但您首先需要允许才能启用访问。要解决此问题,您能否在AWS CloudTrail中激活bucket的数据事件日志记录?然后尝试访问bucket中的对象,几分钟后,相关事件将显示在审计跟踪中。查看是否可以找到与访问相关的任何事件,以了解到底发生了什么,以及是否允许或拒绝某些API调用。以下是如何使用AWS CloudTrail记录数据事件:Hi@DennisTraub,我已使用IAM策略中具有相同权限的工作和非工作场景更新了问题。我注意到,当我在政策中提到我的个人IP范围时。。。数据事件日志中出现了相同的IP,但当我在策略中提到VPN服务器IP范围时。。。数据事件日志中显示的是私有VPC IP范围,而不是公共VPN IP范围。为什么连接到VPN时使用私有VPC IP范围而不是公共IP。。。此外,我还试图在政策中提及私有VPC Ip范围,但这不起作用。。。还有什么建议吗?