S3 存储桶策略限制对单个文件夹的访问
S3 Bucket Policy Restricting Access to Single Folder
我有一个被多个 Lambda 访问的 S3 存储桶。我想限制对单个文件夹的访问,以便只有一个 Lambda 可以访问它。
我有以下创建所有资源的 Cloud Formation 模板,但我无法获得正确的存储桶策略条件。当我的 Lambda 执行角色被指定为例外时,它会限制对文件夹的访问,但不会授予对我的 Lambda 的访问权限。为什么下面的模板不起作用?
ExampleBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${AWS::StackName}-${AWS::AccountId}-example-bucket'
ExampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ExampleBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:*'
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/*
Principal: '*'
Condition:
ArnNotEquals:
aws:SourceArn:
- !GetAtt LambdaExecutionRole.Arn
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${AWS::StackName}-handler
CodeUri: ./src
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs12.x
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
Policies:
- PolicyName: !Sub ${AWS::StackName}
PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}
- !Sub arn:aws:s3:::${ExampleBucket}/*
- Action:
- lambda:InvokeFunction
Effect: Allow
Resource: '*'
我收到以下错误:“StoreDB 函数错误:putStoreObject,访问密钥:example-folder/example-file,AWS S3 消息:拒绝访问”
根据 OP 的评论,从 aws:SourceArn 更改为 aws:PrincipalArn 有效。
我有一个被多个 Lambda 访问的 S3 存储桶。我想限制对单个文件夹的访问,以便只有一个 Lambda 可以访问它。
我有以下创建所有资源的 Cloud Formation 模板,但我无法获得正确的存储桶策略条件。当我的 Lambda 执行角色被指定为例外时,它会限制对文件夹的访问,但不会授予对我的 Lambda 的访问权限。为什么下面的模板不起作用?
ExampleBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${AWS::StackName}-${AWS::AccountId}-example-bucket'
ExampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ExampleBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:*'
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/*
Principal: '*'
Condition:
ArnNotEquals:
aws:SourceArn:
- !GetAtt LambdaExecutionRole.Arn
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${AWS::StackName}-handler
CodeUri: ./src
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs12.x
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
Policies:
- PolicyName: !Sub ${AWS::StackName}
PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}
- !Sub arn:aws:s3:::${ExampleBucket}/*
- Action:
- lambda:InvokeFunction
Effect: Allow
Resource: '*'
我收到以下错误:“StoreDB 函数错误:putStoreObject,访问密钥:example-folder/example-file,AWS S3 消息:拒绝访问”
根据 OP 的评论,从 aws:SourceArn 更改为 aws:PrincipalArn 有效。