Amazon web services 什么';在AWS中保持s3存储桶安全的替代方案是什么?
目前,我有一个名为Amazon web services 什么';在AWS中保持s3存储桶安全的替代方案是什么?,amazon-web-services,security,amazon-s3,Amazon Web Services,Security,Amazon S3,目前,我有一个名为stackoverflow2017的s3存储桶,其中包含一些文件: 并且,ACL的配置如下: $ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer $ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDevelo
stackoverflow2017
的s3存储桶,其中包含一些文件:
并且,ACL的配置如下:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
正如你所看到的,这个桶是私有的,甚至我自己的帐户也无法访问它
我可以按如下方式为bucket设置策略:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
但是,我想知道其他的选择
问题:授予开发人员、应用程序等访问权限的备选方案和最佳做法是什么?有几种方法可以确保s3中存储桶的安全,我可以列出以下四种应用权限的方法:
- /
- 允许某人或某事将密钥上载到您的存储桶
- 提供对特定密钥的临时访问
限制对s3资源访问的备选方案 1.将IAM策略设置为组或用户。 此方法允许您将设置为组或用户,您可以通过CLI、API调用或通过AWS控制台进行设置
- 控制台
developer
-按按钮添加权限
:
IAM政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Action": [
"s3:ListBucket",
"s3:ListObjects"
],
"Effect": "Allow", // Can be Denied
"Resource": "arn:aws:s3:::stackoverflow2017"
}
]
}
该策略S3PolicyForDeveloper
授予用户developer
在bucketstackoverflow2017
中列出bucket
和对象的权限
要将策略设置为组,请遵循组列表中的相同步骤
- 命令行界面(CLI)
以下命令显示如何将分配给IAM用户。基本上,将创建一个名为S3PolicyForDeveloper
的新IAM策略,并立即将其附加到IAM用户。
$ aws iam put-user-policy --user-name developer --policy-name S3PolicyForDeveloper --policy-document file:///policies/S3PolicyForDeveloper.json
$ aws iam put-group-policy --group-name developers --policy-document file:///policies/S3PolicyForDeveloper.json --policy-name S3PolicyForDeveloper
另一方面,假设您希望将现有的连接到IAM用户,为此,请执行以下命令:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
以下命令显示如何将分配给IAM组。基本上,将创建一个名为S3PolicyForDeveloper
的新IAM策略,并立即将其附加到IAM组。
$ aws iam put-user-policy --user-name developer --policy-name S3PolicyForDeveloper --policy-document file:///policies/S3PolicyForDeveloper.json
$ aws iam put-group-policy --group-name developers --policy-document file:///policies/S3PolicyForDeveloper.json --policy-name S3PolicyForDeveloper
要将IAM策略附加到组,请执行以下命令:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
2.将Bucket策略设置为Bucket。
bucket策略允许您向特定bucket授予特定权限。例如,您可以向特定的一组IP地址或AWS中的特定帐户授予对bucket的访问权限,等等
这是bucketstackoverflow2017的策略
:
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer
$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::stackoverflow2017/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.1"
}
}
}
]
}
如您所见,resource
键包含bucketstackoverflow2017
加上/*
表示此策略应用于bucket的内容,条件
键包含,在这种情况下,此bucket只能从IP地址192.168.1.1
读取。Principal
键包含允许或拒绝访问资源的用户、帐户、服务或其他实体,在本例中,访问指定的bucket
{
"Version": "2012-10-17",
"Id": "Policy1515865416346",
"Statement": [
{
"Sid": "Stmt1515865413837",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::stackoverflow2017/*"
},
{
"Sid": "Stmt1515865413838",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::stackoverflow2017"
}
]
}
如果执行操作的帐户是123456789
,则上述策略允许list/read
和put
将新对象放入bucketstackoverflow2017
这种方法允许您将设置为bucket,您可以通过CLI、API调用或通过AWS控制台进行设置
- 控制台
单击bucketstackoverflow2017
-单击选项卡权限-单击bucket策略按钮
粘贴Bucket策略,或者您可以使用生成它
- 命令行界面(CLI)
下面的命令使用文件stackoverflow2017.json
$ aws s3api put-bucket-policy --bucket stackoverflow2017 --policy file://Stackoverflow2017.json
资源
希望能有所帮助在s3中有几种方法可以确保存储桶的安全,我可以列出这四种应用方法