了解IAM政策 [英] Understanding IAM policies
问题描述
我最近遇到了一个问题,使用代码构建时的IAM策略.而且,我试图了解以下两种策略之间的区别,并检查使用版本2而不是版本1是否有安全隐患.
I recently ran into a problem with IAM policies while using Code-Build. And I am trying to understand the difference between the following 2 policies and check if there are any security implications of using version 2 over version 1.
版本1不起作用,所以我决定使用版本2.但是为什么版本2起作用,为什么版本1不起作用?
Version 1 doesn't work, so I decided to go with version 2. But why does version 2 work and why doesn't version 1 doesn't work?
版本1仅允许访问CodePipeline资源,并允许读写S3存储桶对象.
Version 1 only gives access to the CodePipeline resource and allows to read and write to S3 bucket object.
但是版本2可以访问所有S3存储桶,不是吗?这会被视为安全漏洞吗?
However Version 2 gives access to all S3 buckets, doesn't it? Would this be considered a security loophole?
版本1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}
版本2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
}
]
}
推荐答案
我已经通过授予对特定S3存储桶的受限访问权限来复制该方案.
I have replicated the scenario by giving the restricted access to specific S3 Bucket.
第1块:允许所需的Amazon S3控制台权限.在这里,我已授予CodePipeline列出AWS账户中的所有存储桶.
Block 1: Allow required Amazon S3 console permissions Here i have granted CodePipeline to list all the buckets in the AWS account.
第2块:允许列出根文件夹中的对象,这里我的S3存储桶名称为"aws-codestar-us-east-1-493865049436-larvel-test-pipe"
Block 2: Allow listing objects in root folders here my S3 Bucket Name is "aws-codestar-us-east-1-493865049436-larvel-test-pipe"
但是当我遵循从创建CodePipeline到从同一Pipeline Console本身创建构建的步骤时,我感到惊讶,我得到了与您的版本1相同的策略,并且它也执行了.但是,下一步,我按照下面的策略对S3中的存储桶赋予了特定的权限,并且该存储桶已经起作用.因此,在第二个版本中,而不是向资源授予所有权限Resource:" *,您可以将权限限制为仅特定于存储桶的权限,如以下示例策略
but i am surprised as when i followed the Steps from Creating CodePipeline to Create Build from the same Pipeline Console itself, i had got the same policy as your version 1 and it executed as well. However, as a next step, i gave a specific permission to a bucket in S3 as given below policy and it has worked. So in your version two rather than granting all permission to your resources Resource": "*" you can restrict a permission to a bucket only specific as described in below sample policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-east-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}
这篇关于了解IAM政策的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!