AWS IAM 策略:如何更改 AWSLambdaFullAccess 策略以仅允许访问一个 S3 存储桶?
AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
我正在与我的 IT 团队合作限制我的用户帐户(在根帐户下),以便它无法访问我不想访问的 S3 存储桶。启用 AWSLambdaFullAccess 策略时,它允许完全访问许多 AWS 功能,包括所有 S3。这是 AWSLambdaFullAccess 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分都很好。我如何将其更改为新策略,以便我只能访问 "arn:aws:s3:::lambda-scripts" 存储桶?
将 S3 权限拆分为单独的语句,并修改这些语句的资源设置。像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::lambda-scripts"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::lambda-scripts/*"
}
]
}
我能想到的最直接的编辑是从您拥有的语句中删除 "s3:*" 操作,并添加第二条语句以授予 S3 仅访问该存储桶的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "S3LambdaScripts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-scripts*"
]
}
]
}
更好的答案是您真的不应该使用预定义的 AWSLambdaFullAccess 权限。相反,使用针对您真正需要的服务和资源的多个语句来构建您自己的。例如,您真的在使用 Dynamo、Kinesis、Cognito 等吗?是的,这很乏味。但是,如果您在 IAM 中将较小的增量保存为用户定义的策略,则可以更轻松地从自定义和预定义的内容中拼凑出合理的策略。
我正在与我的 IT 团队合作限制我的用户帐户(在根帐户下),以便它无法访问我不想访问的 S3 存储桶。启用 AWSLambdaFullAccess 策略时,它允许完全访问许多 AWS 功能,包括所有 S3。这是 AWSLambdaFullAccess 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分都很好。我如何将其更改为新策略,以便我只能访问 "arn:aws:s3:::lambda-scripts" 存储桶?
将 S3 权限拆分为单独的语句,并修改这些语句的资源设置。像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::lambda-scripts"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::lambda-scripts/*"
}
]
}
我能想到的最直接的编辑是从您拥有的语句中删除 "s3:*" 操作,并添加第二条语句以授予 S3 仅访问该存储桶的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Sid": "S3LambdaScripts",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-scripts*"
]
}
]
}
更好的答案是您真的不应该使用预定义的 AWSLambdaFullAccess 权限。相反,使用针对您真正需要的服务和资源的多个语句来构建您自己的。例如,您真的在使用 Dynamo、Kinesis、Cognito 等吗?是的,这很乏味。但是,如果您在 IAM 中将较小的增量保存为用户定义的策略,则可以更轻松地从自定义和预定义的内容中拼凑出合理的策略。