Amazon S3存储桶策略:如何仅锁定对EC2实例的访问 [英] Amazon S3 Bucket Policy: How to lock down access to only your EC2 Instances
问题描述
出于安全考虑,我正在锁定S3存储桶-我将部署映像存储在存储桶中。
I am looking to lock down an S3 bucket for security purposes - i'm storing deployment images in the bucket.
我要做的是创建存储桶仅支持从我帐户中的EC2实例通过http 进行匿名下载的政策。
What I want to do is create a bucket policy that supports anonymous downloads over http only from EC2 instances in my account.
有没有办法做到这一点?
Is there a way to do this?
我要使用的政策示例(它不会被应用):
An example of a policy that I'm trying to use (it won't allow itself to be applied):
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[my bucket name]",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:us-east-1:[my account id]:instance/*"
}
}
}
]
}
推荐答案
只是为了阐明通常是如何完成的。您创建IAM策略,将其附加到新角色或现有角色,然后使用该角色装饰ec2实例。您还可以通过存储区策略提供访问权限,但这不太精确。
Just to clarify how this is normally done. You create a IAM policy, attach it to a new or existing role, and decorate the ec2 instance with the role. You can also provide access through bucket policies, but that is less precise.
以下详细信息:
-
S3存储桶默认为拒绝我的主人。因此,您创建了存储桶并上传了数据。您可以尝试使用 https://s3.amazonaws来使用浏览器来验证文件是否不可访问。 com / MyBucketName / file.ext 。应该返回xml中的错误代码 Access Denied。如果收到错误代码 NoSuchBucket,则说明网址错误。
S3 buckets are default deny except for my the owner. So you create your bucket and upload the data. You can verify with a browser that the files are not accessible by trying https://s3.amazonaws.com/MyBucketName/file.ext. Should come back with error code "Access Denied" in the xml. If you get an error code of "NoSuchBucket", you have the url wrong.
基于arn:aws:iam :: aws创建IAM策略:策略/ AmazonS3ReadOnlyAccess。开始看起来像下面的片段。查看资源键,并注意它已设置为通配符。您只需将其修改为您的存储桶即可。您必须对存储桶及其内容执行一个操作,使其变为:资源:[ arn:aws:s3 ::: MyBucketName, arn:aws:s3 ::: MyBucketName / *]
Create an IAM policy based on arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess. Starts out looking like the snip below. Take a look at the "Resource" key, and note that it is set to a wild card. You just modify this to be the arn of your bucket. You have to do one for the bucket and its contents so it becomes: "Resource": ["arn:aws:s3:::MyBucketName", "arn:aws:s3:::MyBucketName/*"]
现在,您有了一个策略,您想要做的就是用自动授予该策略的IAM角色来装饰实例。所有实例都无需任何身份验证密钥。因此,转到角色,创建新角色,创建一个Amazon EC2角色,找到您刚刚创建的策略,然后角色就准备好了。
Now that you have a policy, what you want to do is to decorate your instances with a IAM Role that automatically grants it this policy. All without any authentication keys having to be in the instance. So go to Role, create new role, make an Amazon EC2 role, find the policy you just created, and your Role is ready.
最后,您创建了自己的角色。实例,然后添加您刚创建的IAM角色。如果计算机已经具有自己的角色,则只需将这两个角色合并为该计算机的新角色。如果计算机已经在运行,则只有在重新启动后,它才能获得新角色。
Finally you create your instance, and add the IAM role you just created. If the machine already has its own role, you just have to merge the two roles into a new one for the machine. If the machine is already running, it wont get the new role until you restart.
现在,您应该可以上手了。机器有权访问s3共享。现在,您可以使用以下命令将文件复制到您的实例。请注意,您必须指定区域
Now you should be good to go. The machine has the rights to access the s3 share. Now you can use the following command to copy files to your instance. Note you have to specify the region
aws s3 cp --region us-east-1 s3://MyBucketName/MyFileName.tgz /主页/ ubuntu
aws s3 cp --region us-east-1 s3://MyBucketName/MyFileName.tgz /home/ubuntu
请注意,术语通过隐秘获得安全性仅电影里的东西。可证明的东西是安全的,或者是不安全的。
Please Note, the term "Security through obscurity" is only a thing in the movies. Either something is provably secure, or it is insecure.
这篇关于Amazon S3存储桶策略:如何仅锁定对EC2实例的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
