使用 CDK 将 IAM 策略添加到 S3 时出现错误
Adding IAM policy to S3 using CDK giving errors
我正在尝试使用 CDK 创建 S3 存储桶。 Bucket 已经创建好了。但是,当我尝试添加以下 IAM 策略时,出现创建失败 - API: s3:PutBucketPolicy Access Denied
TestBucket.addToResourcePolicy(new iam.PolicyStatement({
actions: [ 's3:*'],
effect: iam.Effect.DENY,
principals: [ new iam.AnyPrincipal],
resources: [TestBucket.bucketArn+'/*'],
conditions: {
"Bool": {
"aws:SecureTransport": "false"
}
},
我是 运行 的用户,此代码具有管理员权限。可能是什么问题?
用于创建 S3 存储桶并将资源策略设置为仅允许 HTTPS 的示例 CDK 代码。
import * as cdk from "@aws-cdk/core";
import * as s3 from "@aws-cdk/aws-s3";
import * as iam from "@aws-cdk/aws-iam";
export class TestS3Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.simpleS3();
}
simpleS3() {
const myBucket = new s3.Bucket(this, "my-bucket", {
bucketName: "my-test-bucket-balu",
blockPublicAccess: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
},
});
myBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.DENY,
principals: [new iam.AnyPrincipal()],
resources: [myBucket.bucketArn, myBucket.bucketArn + "/*"],
conditions: {
Bool: {
"aws:SecureTransport": "false",
},
},
})
);
}
}
除非有 service control policy 阻止管理员用户访问 PutBucketPolicy,否则我们在创建仅阻止 http 请求的存储桶策略时不应出现错误。
我们可以检查是否存在权限问题,方法是尝试从 cli 中输入存储桶策略
aws s3api put-bucket-policy --bucket my-test-bucket --policy
'{"Version": "2012-10-17","Statement": [{"Effect": "Deny","Principal":
"","Action": "s3:","Resource":
"arn:aws:s3:::my-test-bucket/*","Condition": {"Bool":
{"aws:SecureTransport": "false"}}}]}'
我正在尝试使用 CDK 创建 S3 存储桶。 Bucket 已经创建好了。但是,当我尝试添加以下 IAM 策略时,出现创建失败 - API: s3:PutBucketPolicy Access Denied
TestBucket.addToResourcePolicy(new iam.PolicyStatement({
actions: [ 's3:*'],
effect: iam.Effect.DENY,
principals: [ new iam.AnyPrincipal],
resources: [TestBucket.bucketArn+'/*'],
conditions: {
"Bool": {
"aws:SecureTransport": "false"
}
},
我是 运行 的用户,此代码具有管理员权限。可能是什么问题?
用于创建 S3 存储桶并将资源策略设置为仅允许 HTTPS 的示例 CDK 代码。
import * as cdk from "@aws-cdk/core";
import * as s3 from "@aws-cdk/aws-s3";
import * as iam from "@aws-cdk/aws-iam";
export class TestS3Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.simpleS3();
}
simpleS3() {
const myBucket = new s3.Bucket(this, "my-bucket", {
bucketName: "my-test-bucket-balu",
blockPublicAccess: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
},
});
myBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.DENY,
principals: [new iam.AnyPrincipal()],
resources: [myBucket.bucketArn, myBucket.bucketArn + "/*"],
conditions: {
Bool: {
"aws:SecureTransport": "false",
},
},
})
);
}
}
除非有 service control policy 阻止管理员用户访问 PutBucketPolicy,否则我们在创建仅阻止 http 请求的存储桶策略时不应出现错误。
我们可以检查是否存在权限问题,方法是尝试从 cli 中输入存储桶策略
aws s3api put-bucket-policy --bucket my-test-bucket --policy '{"Version": "2012-10-17","Statement": [{"Effect": "Deny","Principal": "","Action": "s3:","Resource": "arn:aws:s3:::my-test-bucket/*","Condition": {"Bool": {"aws:SecureTransport": "false"}}}]}'