用于根据实例标签或实例 ID 限制少数实例连接到 S3 存储桶的角色的 AWS S3 IAM 策略 [英] AWS S3 IAM policy for role for restricting few instances to connect to S3 bucket based in instance tag or instance id

问题描述

我有一个 AWS S3 已经与所有实例相关联，以获得对所有 S3 存储桶的读取权限.现在我需要为写权限(Put 对象)的角色添加一个策略，以便其中一些实例可以对 S3 中的某些文件夹具有写权限.有没有办法通过实例标签(对我来说更好的选择)或实例 ID 来实现它.

I have a AWS S3 already associated with all the instances for read privileges to all S3 buckets. Now I need to add a policy to the roles for write privileges(Put object) so that a few of these instances can have write permissions to certain folders in the S3. Is there any way to achieve it through instance tag(better option for me) or instance id.

我尝试添加 IAM 策略，但是当我设置条件时，我的实例没有获得所需的权限.

I tried adding an IAM policy but when I set the condition, my instances are not getting the required privileges.

我使用的 IAM 策略是:

The IAM policy I used is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1456567757624",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::testbucket/testfolder1/*",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid1>"
        }
      }
    },
    {
      "Sid": "Stmt1456567757625",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::testbucket/testfolder2/*",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid2>"
        }
      }
    }
  ]
}

推荐答案

这里有一个替代方案，基于 根据角色名称授予对 S3 资源的访问权限...

Here's an alternative, based on hints given in Granting access to S3 resources based on role name...

不要使用 aws:SourceArn，而是使用 aws:userid！

Instead of using aws:SourceArn, use aws:userid!

请求您可以使用的信息策略变量 文档中有一个表格显示了 aws:userid 的各种值，包括:

The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:

对于分配给Amazon EC2实例的角色，设置为role-id:ec2-instance-id

因此，您可以使用用于启动 Amazon EC2 实例的角色的角色 ID 或实例 ID 来允许访问.

Therefore, you could use the Role ID of the role that is used to launch the Amazon EC2 instance to permit access OR the Instance ID.

例如，这个基于角色 ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAIIPEUJOUGITIU5BB6*"
                    ]
                }
            }
        }
    ]
}

当然，如果您要根据角色 ID 分配权限，那么您也可以轻松地在角色本身内授予权限.

Of course, if you are going to assign permission based on a Role ID, then you can just as easily grant permissions within the Role itself.

这个基于实例 ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "*:i-03c9a5f3fae4b630a"
                    ]
                }
            }
        }
    ]
}

实例 ID 将保留在实例中，但如果启动新实例，则会分配一个新实例，即使来自同一亚马逊系统映像 (AMI).

The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).

这篇关于用于根据实例标签或实例 ID 限制少数实例连接到 S3 存储桶的角色的 AWS S3 IAM 策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！