限制对 VPC 的 S3 存储桶访问 [英] Restricting S3 bucket access to a VPC
问题描述
我正在尝试应用以下策略以限制 my_bucket
对特定 VPC 的访问.
I am trying to apply the following policy in order to restrict my_bucket
's access to a particular VPC.
当我尝试将此作为存储桶策略应用时,我得到一个 Policy has an invalid condition key - ec2:Vpc
.
When I try to apply this as a bucket policy, I get an Policy has an invalid condition key - ec2:Vpc
.
我该如何纠正?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition":{
"StringNotEquals": {
"ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-ccccccc"
}
}
}
]
}
推荐答案
我刚刚开始使用它.我必须做两件事.1) 在 S3 存储桶上创建存储桶策略,2) 创建VPC 端点"
I just got this to work. I had to do two things. 1) Create the bucket policy on the S3 bucket, 2) create a "VPC Endpoint"
我的 S3 存储桶策略如下所示(当然要输入您的存储桶名称和 VPC 标识符):
My S3 bucket policy looks like this (of course put in your bucket name and VPC identifier):
{
"Version": "2012-10-17",
"Id": "Policy1234567890123",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-12345678"
}
}
}
]
}
S3 存储桶还具有存储桶策略之外的一些权限,以允许从 AWS 控制台进行访问.执行上述操作并没有提供访问权限.为了获得访问权限,我还必须转到 AWS 控制台 ->VPC ->端点,然后创建端点.我将新创建的端点附加到该帐户目前唯一的路由策略(所有子网都附加到它)并且我使用了默认策略
The S3 bucket also has some permissions outside the bucket policy to allow access from the AWS Console. Doing the above did not give access. To get access, I also had to go to AWS Console -> VPC -> Endpoints, and then create an endpoint. I attached the newly created endpoint to the only routing policy the account has at the moment (that has all subnets attached to it) and I used the default policy of
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
创建端点后,我只需使用带有正确 URL 的 wget
即可从 VPC 中的任何 EC2 实例读取 S3 存储桶.我仍然可以从 AWS 控制台访问存储桶.但是,如果我尝试从 VPC 外部访问 URL,则会收到 403 forbidden.因此,对 S3 存储桶的访问仅限于单个 VPC,就像您要查找的内容一样.
Once I created the endpoint, I was able to read from the S3 bucket from any EC2 instance in my VPC simply using wget
with the right URL. I am still able to access the bucket from the AWS Console. But if I try to access the URL from outside the VPC, I get 403 forbidden. Thus, access to the S3 bucket is restricted to a single VPC, just like what you are looking for.
这显然是一个新功能.有关更多信息,请参阅此 AWS 博客条目信息.
This is apparently a new feature. See this AWS blog entry for more information.
这篇关于限制对 VPC 的 S3 存储桶访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!