限制对 VPC 的 S3 存储桶访问 [英] Restricting S3 bucket access to a VPC

问题描述

我正在尝试应用以下策略以限制 my_bucket 对特定 VPC 的访问.

I am trying to apply the following policy in order to restrict my_bucket's access to a particular VPC.

当我尝试将此作为存储桶策略应用时，我得到一个 Policy has an invalid condition key - ec2:Vpc.

When I try to apply this as a bucket policy, I get an Policy has an invalid condition key - ec2:Vpc.

我该如何纠正?

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Deny",
         "Principal": {
            "AWS": "*"
         },
         "Action": "*",
         "Resource": "arn:aws:s3:::my_bucket/*",
         "Condition":{
            "StringNotEquals": {
               "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-ccccccc"
            }
         }
      }
   ]
}

推荐答案

我刚刚开始使用它.我必须做两件事.1) 在 S3 存储桶上创建存储桶策略，2) 创建VPC 端点"

I just got this to work. I had to do two things. 1) Create the bucket policy on the S3 bucket, 2) create a "VPC Endpoint"

我的 S3 存储桶策略如下所示(当然要输入您的存储桶名称和 VPC 标识符):

My S3 bucket policy looks like this (of course put in your bucket name and VPC identifier):

{
    "Version": "2012-10-17",
    "Id": "Policy1234567890123",
    "Statement": [
        {
            "Sid": "Stmt1234567890123",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-12345678"
                }
            }
        }
    ]
}

S3 存储桶还具有存储桶策略之外的一些权限，以允许从 AWS 控制台进行访问.执行上述操作并没有提供访问权限.为了获得访问权限，我还必须转到 AWS 控制台 ->VPC ->端点，然后创建端点.我将新创建的端点附加到该帐户目前唯一的路由策略(所有子网都附加到它)并且我使用了默认策略

The S3 bucket also has some permissions outside the bucket policy to allow access from the AWS Console. Doing the above did not give access. To get access, I also had to go to AWS Console -> VPC -> Endpoints, and then create an endpoint. I attached the newly created endpoint to the only routing policy the account has at the moment (that has all subnets attached to it) and I used the default policy of

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

创建端点后，我只需使用带有正确 URL 的 wget 即可从 VPC 中的任何 EC2 实例读取 S3 存储桶.我仍然可以从 AWS 控制台访问存储桶.但是，如果我尝试从 VPC 外部访问 URL，则会收到 403 forbidden.因此，对 S3 存储桶的访问仅限于单个 VPC，就像您要查找的内容一样.

Once I created the endpoint, I was able to read from the S3 bucket from any EC2 instance in my VPC simply using wget with the right URL. I am still able to access the bucket from the AWS Console. But if I try to access the URL from outside the VPC, I get 403 forbidden. Thus, access to the S3 bucket is restricted to a single VPC, just like what you are looking for.

这显然是一个新功能.有关更多信息，请参阅此 AWS 博客条目信息.

This is apparently a new feature. See this AWS blog entry for more information.

这篇关于限制对 VPC 的 S3 存储桶访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！