限制S3存储桶对VPC的访问 [英] Restricting S3 bucket access to a VPC

问题描述

我正在尝试应用以下策略，以限制my_bucket对特定VPC的访问.

I am trying to apply the following policy in order to restrict my_bucket's access to a particular VPC.

1. 当我尝试将此作为桶策略应用时，得到一个Policy has an invalid condition key - ec2:Vpc.我该如何纠正?

1. When I try apply this as a bucket policy, I get an Policy has an invalid condition key - ec2:Vpc. How do I correct this?

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Deny",
         "Principal": {
            "AWS": "*"
         },
         "Action":"*",
         "Resource":"arn:aws:s3:::my_bucket/*",
         "Condition":{
            "StringNotEquals":{
               "ec2:Vpc":"arn:aws:ec2:region:account:vpc/vpc-ccccccc"
            }
         }
      }
   ]
}

推荐答案

我刚开始使用它.我必须做两件事. 1)在S3存储桶上创建存储桶策略，2)创建"VPC端点"

I just got this to work. I had to do two things. 1) Create the bucket policy on the S3 bucket, 2) create a "VPC Endpoint"

我的S3存储桶策略如下(当然会在存储桶名称和VPC标识符中输入):

My S3 bucket policy looks like this (of course put in your bucket name and VPC identifier):

{
    "Version": "2012-10-17",
    "Id": "Policy1234567890123",
    "Statement": [
        {
            "Sid": "Stmt1234567890123",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-12345678"
                }
            }
        }
    ]
}

S3存储桶还具有存储桶策略之外的一些权限，以允许从AWS控制台进行访问.进行上述操作无法访问.要获得访问权限，我还必须转到AWS控制台-> VPC->端点，然后创建一个端点.我将新创建的端点附加到该帐户当前拥有的唯一路由策略(该路由附加了所有子网)，并且使用默认策略

The S3 bucket also has some permissions outside the bucket policy to allow access from the AWS Console. Doing the above did not give access. To get access, I also had to go to AWS Console -> VPC -> Endpoints, and then create an endpoint. I attached the newly created endpoint to the only routing policy the account has at the moment (that has all subnets attached to it) and I used the default policy of

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

创建端点后，只需使用带有正确URL的wget，就可以从VPC中任何EC2实例的S3存储桶中进行读取.我仍然能够从AWS控制台访问存储桶.但是，如果我尝试从VPC外部访问URL，则会被禁止403.因此，就像您要查找的内容一样，对S3存储桶的访问仅限于单个VPC.

Once I created the endpoint, I was able to read from the S3 bucket from any EC2 instance in my VPC simply using wget with the right URL. I am still able to access the bucket from the AWS Console. But if I try to access the URL from outside the VPC, I get 403 forbidden. Thus, access to the S3 bucket is restricted to a single VPC, just like what you are looking for.

这显然是一个新功能.有关更多信息，请参见此 AWS博客条目

This is apparently a new feature. See this AWS blog entry for more information.

这篇关于限制S3存储桶对VPC的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！