您的位置: 首页  >  技术问答  >  AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?

AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?

分类: 技术问答 2022-04-15 00:15:11

AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?

问题描述:

我正在与我的IT团队一起限制我的用户帐户(在root帐户下),以便它无法访问我不想访问的S3存储桶。启用AWSLambdaFullAccess策略时,可以完全访问许多AWS功能,包括全部S3功能。以下是AWSLambdaFullAccess策略:AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶?

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "s3:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    } 
    ] 
}

大部分情况都没有问题。我如何将其作为新策略进行修改,以便我只能访问“arn:aws:s3 ::: lambda-scripts”存储桶?

最直接的编辑,我能想到的将涉及删除“S3:*”从你的声明行动,并补充说,授予只是斗S3访问的第二次发言。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Sid": "S3LambdaScripts", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:*" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::lambda-scripts*" 
     ] 
    } 
    ] 
}

更好的答案是,你真的不应该使用预定义的AWSLambdaFullAccess权限。相反,使用针对您真正需要的服务和资源的多条语句来构建您自己的语言。例如,你真的在​​使用Dynamo,Kinesis,Cognito等吗?是的,这很乏味。但是如果您将较小的增量作为用户定义的策略保存在IAM中,则可以更轻松地将自定义和预定义的策略组合在一起。

+0

我会去解决这个问题。的确,AWSLambdaFullAccess策略提供了比我需要的更多的访问。我会制定一个新的政策,减少所有的脂肪。 –

将S3权限拆分为单独的语句,并修改这些语句的资源设置。事情是这样的:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Effect":"Allow", 
     "Action":[ 
      "s3:ListBucket", 
      "s3:GetBucketLocation" 
     ], 
     "Resource":"arn:aws:s3:::lambda-scripts" 
     }, 
    { 
    "Effect": "Allow", 
    "Action": [   
     "s3:PutObject", 
     "s3:GetObject", 
     "s3:DeleteObject" 
    ], 
    "Resource": "arn:aws:s3:::lambda-scripts/*" 
    } 
    ] 
}

相关推荐