2016-03-02 165 views
0

我正在與我的IT團隊一起限制我的用戶帳戶(在root帳戶下),以便它無法訪問我不想訪問的S3存儲桶。啓用AWSLambdaFullAccess策略時,可以完全訪問許多AWS功能,包括全部S3功能。以下是AWSLambdaFullAccess策略:AWS IAM策略:如何更改AWSLambdaFullAccess策略以僅允許訪問一個S3存儲桶?

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "s3:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    } 
    ] 
} 

大部分情況都沒有問題。我如何將其作爲新策略進行修改,以便我只能訪問「arn:aws:s3 ::: lambda-scripts」存儲桶?

回答

2

最直接的編輯,我能想到的將涉及刪除「S3:*」從你的聲明行動,並補充說,授予只是鬥S3訪問的第二次發言。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Sid": "S3LambdaScripts", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:*" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::lambda-scripts*" 
     ] 
    } 
    ] 
} 

更好的答案是,你真的不應該使用預定義的AWSLambdaFullAccess權限。相反,使用針對您真正需要的服務和資源的多條語句來構建您自己的語言。例如,你真的在​​使用Dynamo,Kinesis,Cognito等嗎?是的,這很乏味。但是如果您將較小的增量作爲用戶定義的策略保存在IAM中,則可以更輕鬆地將自定義和預定義的策略組合在一起。

+0

我會去解決這個問題。的確,AWSLambdaFullAccess策略提供了比我需要的更多的訪問。我會制定一個新的政策,減少所有的脂肪。 –

0

將S3權限拆分爲單獨的語句,並修改這些語句的資源設置。事情是這樣的:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:*", 
     "cognito-identity:ListIdentityPools", 
     "cognito-sync:GetCognitoEvents", 
     "cognito-sync:SetCognitoEvents", 
     "dynamodb:*", 
     "events:*", 
     "iam:ListAttachedRolePolicies", 
     "iam:ListRolePolicies", 
     "iam:ListRoles", 
     "iam:PassRole", 
     "kinesis:DescribeStream", 
     "kinesis:ListStreams", 
     "kinesis:PutRecord", 
     "lambda:*", 
     "logs:*", 
     "sns:ListSubscriptions", 
     "sns:ListSubscriptionsByTopic", 
     "sns:ListTopics", 
     "sns:Subscribe", 
     "sns:Unsubscribe" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Effect":"Allow", 
     "Action":[ 
      "s3:ListBucket", 
      "s3:GetBucketLocation" 
     ], 
     "Resource":"arn:aws:s3:::lambda-scripts" 
     }, 
    { 
    "Effect": "Allow", 
    "Action": [   
     "s3:PutObject", 
     "s3:GetObject", 
     "s3:DeleteObject" 
    ], 
    "Resource": "arn:aws:s3:::lambda-scripts/*" 
    } 
    ] 
} 
相關問題