小编Aak*_*eth的帖子

AWS policy evaluation

I have an IAM role to be attached to a microservice in order to limit S3 folder access based on user-agent. The microservice parent account and the bucket owner are the same.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-test/service/${aws:useragent}/*"
            ]
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-test"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "service/${aws:useragent}/*"
                    ]
                }
            }
        }
    ]
}
Run Code Online (Sandbox Code Playgroud)

The same S3 bucket has …

amazon-s3 amazon-iam

6
推荐指数
1
解决办法
4346
查看次数

Boto3 设置自定义用户代理来测试 S3 访问策略

我正在使用 boto3 创建一些测试来验证 S3 存储桶上的微服务访问策略。

铲斗设置:

test-bucket/
  service/
    micro-a/
    micro-b/    
Run Code Online (Sandbox Code Playgroud)

此存储桶策略旨在限制对具有指定角色的人员的访问:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessIfInThisRole",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test-bucket/*",
            "Condition": {
                "StringNotLike": {
                    "aws:userid": "*role-id*"
                }
            }
        }
    ]
}
Run Code Online (Sandbox Code Playgroud)

角色 ID 引用此 IAM 角色,该角色根据微服务用户代理授予对存储桶中每个微服务特定文件夹的访问权限,即微服务 A 的用户代理可能是“micro-a”,因此应该有权访问但不能test-bucket/service/micro-a/*访问test-bucket/service/micro-b/*

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::as-bucket-test/service/${aws:useragent}/*"
            ]
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::as-bucket-test"
            ],
            "Condition": …
Run Code Online (Sandbox Code Playgroud)

amazon-s3 amazon-iam boto3

5
推荐指数
1
解决办法
3424
查看次数

标签 统计

amazon-iam ×2

amazon-s3 ×2

boto3 ×1