限制S3存储桶对VPC的访问 [英] Restricting S3 bucket access to a VPC
问题描述
我正在尝试应用以下策略,以限制my_bucket
对特定VPC的访问.
I am trying to apply the following policy in order to restrict my_bucket
's access to a particular VPC.
- 当我尝试将此作为桶策略应用时,得到一个
Policy has an invalid condition key - ec2:Vpc
.我该如何纠正?
- When I try apply this as a bucket policy, I get an
Policy has an invalid condition key - ec2:Vpc
. How do I correct this?
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Principal": {
"AWS": "*"
},
"Action":"*",
"Resource":"arn:aws:s3:::my_bucket/*",
"Condition":{
"StringNotEquals":{
"ec2:Vpc":"arn:aws:ec2:region:account:vpc/vpc-ccccccc"
}
}
}
]
}
推荐答案
我刚开始使用它.我必须做两件事. 1)在S3存储桶上创建存储桶策略,2)创建"VPC端点"
I just got this to work. I had to do two things. 1) Create the bucket policy on the S3 bucket, 2) create a "VPC Endpoint"
我的S3存储桶策略如下(当然会在存储桶名称和VPC标识符中输入):
My S3 bucket policy looks like this (of course put in your bucket name and VPC identifier):
{
"Version": "2012-10-17",
"Id": "Policy1234567890123",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-12345678"
}
}
}
]
}
S3存储桶还具有存储桶策略之外的一些权限,以允许从AWS控制台进行访问.进行上述操作无法访问.要获得访问权限,我还必须转到AWS控制台-> VPC->端点,然后创建一个端点.我将新创建的端点附加到该帐户当前拥有的唯一路由策略(该路由附加了所有子网),并且使用默认策略
The S3 bucket also has some permissions outside the bucket policy to allow access from the AWS Console. Doing the above did not give access. To get access, I also had to go to AWS Console -> VPC -> Endpoints, and then create an endpoint. I attached the newly created endpoint to the only routing policy the account has at the moment (that has all subnets attached to it) and I used the default policy of
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
创建端点后,只需使用带有正确URL的wget
,就可以从VPC中任何EC2实例的S3存储桶中进行读取.我仍然能够从AWS控制台访问存储桶.但是,如果我尝试从VPC外部访问URL,则会被禁止403.因此,就像您要查找的内容一样,对S3存储桶的访问仅限于单个VPC.
Once I created the endpoint, I was able to read from the S3 bucket from any EC2 instance in my VPC simply using wget
with the right URL. I am still able to access the bucket from the AWS Console. But if I try to access the URL from outside the VPC, I get 403 forbidden. Thus, access to the S3 bucket is restricted to a single VPC, just like what you are looking for.
这显然是一个新功能.有关更多信息,请参见此 AWS博客条目
This is apparently a new feature. See this AWS blog entry for more information.
这篇关于限制S3存储桶对VPC的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!