S3存储桶的VPC访问策略 [英] VPC access policy for S3 buckets
本文介绍了S3存储桶的VPC访问策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个VPC,其VPC端点与特定的路由表(例如RTB1)相关联.Subnet1使用RTB1,而Subnet2不使用.
如果我将策略附加到S3存储桶,请按照以下策略指定vpc-ID:
{"Version":"2012-10-17","Id":"Policy1415115909152",陈述": [{"Sid":仅访问特定的VPC",主要的": "*","Action":"s3:*",效果":拒绝",资源":["arn:aws:s3 ::: my_secure_bucket","arn:aws:s3 ::: my_secure_bucket/*"],状况": {"StringNotEquals":{"aws:sourceVpc":"vpc-111bbb22"}}}]} 这是否将允许Subnet2中的实例访问S3存储桶?即使这些实例未通过RBT1路由,RBT1仍具有vpc-endpoint条目?
解决方案
以下是该行为的摘要:
场景:假设有-1个VPC,vpc-111bbb22-3个子网*在s3 vpc端点vpce-1111后面的子网1111,*在s3 vpce-2222和之后的子网2222和* subnet-3333,它与任何vpc端点都不相关.-1个名为my_secure_bucket的S3存储桶(注意:此存储桶必须与VPC/VPC端点位于同一区域)使用以上存储桶策略,可访问性如下:子网1111-可以访问子网2222-可以访问子网3333-无法访问
I have a VPC, with a VPC endpoint that is associated with a particular route table, say RTB1. Subnet1 uses RTB1 while Subnet2 doesn't.
If I attach a policy to the S3 bucket, specifying the vpc-ID as in the policy below:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
Will this allow instances in Subnet2 to access the S3 bucket? Even though those instances are not routed through RBT1, which has the vpc-endpoint entry?
解决方案
Here is a summary of the behavior:
Scenario: Assume there is
- 1 VPC, vpc-111bbb22
- 3 subnets
*subnet-1111 behind s3 vpc endpoint vpce-1111,
*subnet-2222 behind s3 vpce-2222 and
*subnet-3333 which is not associated with any vpc endpoint.
- 1 S3 bucket named my_secure_bucket (NOTE: this bucket has to be in the same region as the VPC/VPC endpoints)
Using the above bucket policy, the accessibility is as follows:
subnet-1111 - can access
subnet-2222 - can access
subnet-3333 - cannot access
这篇关于S3存储桶的VPC访问策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
