AWS访问策略评估不允许放置bucket策略
我已将以下策略附加到IAM用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:PutObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::xyz123-mycloud-dump",
"arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}
现在,有了附加了上述策略的IAM用户的访问凭据,我试图运行以下命令:
s3api put-bucket-policy --bucket xyz123-mycloud-dump --policy file://policy.json
其中,文件policy.json的内容为:
json prettyprint-override">{
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:aws:iam::<the_account_number_to_which_the_user_belongs>:user/<the_IAM_user_name>",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*", "arn:aws:s3:::xyz123-mycloud-dump"]
}
]
}
我得到了一个
调用PutBucket策略操作时发生错误(AccessDended):拒绝访问
现在我想知道为什么?
用户的策略语句允许对资源执行PutBucketPolicy:
xyz123-mycloud-dump,
xyz123-mycloud-dump/SAMPLE/
这就是我试图用我的上述政策所做的。那么,为什么访问被拒绝?
共有2个答案
从这里:
要解决拒绝访问错误,请检查以下内容:
- 您的IAM标识对s3:GetBucketPolicy和s3:PutBucketPolicy都有权限。
检查您是否有不知道的活动组织级SCP,或者是否启用了阻止公共访问。
如果您使用的策略是您发布的policy.json
我试过了,但它给了我一个错误:
{
"Version":"2012-10-17",
"Id": "randome",
"Statement":[
{
"Effect":"Allow",
"Principal": "arn:aws:iam::1234567890:user/username",
"Action": "s3:*",
"Resource":[
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/random/*"
]
}
]
}
$aws s3api put-bucket-policy --bucket mybucket --policy file://x.json
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid policy syntax.
当我按照文件建议使用正确的政策时;
桶策略示例
{
"Version":"2012-10-17",
"Id": "randome",
"Statement":[
{
"Effect":"Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/username"
},
"Action": "s3:*",
"Resource":[
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/random/*"
]
}
]
}
它起作用了
$ aws s3api put-bucket-policy --bucket mybucket --policy file://x.json
$ echo $?
0
-
已设置Hashicorp Vault docker容器,但在使用生成的令牌而不是根时,似乎无法获取数据库凭据。 重新创建的步骤: 我创建了最新的容器,获得了根令牌并使用它进行身份验证。 运行以下命令: 我还尝试将“vault write”替换为“vault kv put”,并成功执行所有命令。 所以我叫GEThttp://127.0.0.1:8200/v1/database/creds/Tenan
-
我创建了一个s3 bucket,并为其提供了以下bucket策略 显然,这只允许用户username1访问。现在username1已从IAM中删除。是否有任何方法可以恢复对此存储桶的访问。我有一个具有管理员权限的IAM帐户,但aws s3api delete-bucket-policy111似乎不起作用。
-
我正在寻找一些备份S3 bucket的建议或最佳实践。 备份S3数据的目的是防止数据丢失,原因如下: S3问题 意外从S3删除此数据的问题 经过一番调查,我看到以下选项: 使用版本控制http://docs.aws.amazon.com/amazons3/latest/dev/versioning.html 使用AWS SDK从一个S3桶复制到另一个S3桶 备份到Amazon Glacier ht
-
在SNS中,我设置了一个主题。 在IAM中,我设置了一个策略,允许仅从特定IP地址访问ARN主题: 我已将此策略附加到一个组,并将用户添加到此组。 从C#windows应用程序,我现在可以从策略中列出的指定SourceIp订阅和发布主题。 但是在这种情况下,我需要使用IAM用户的AccessKey和SecretAccessKey。 只要SourceIp是正确的,有没有一种方法可以绕过需要访问密钥和
-
我使用从使用API的ReactJS发送数据,我得到一个错误: 以下是错误: CORS策略已阻止从来源“http://localhost/2019/EURDU/user_controllers/userregistercontroller/userregistration”访问位于“http://localhost:3000”的XMLHttpRequest:飞行前响应中的access-control
-
我正在使用以下版本 null CORS策略阻止了从原点获取的访问:请求的资源上没有'Access->Control-Allow-Origin'标头。如果一个不透明的响应满足您的需要,请将请求的模式设置为“no-cors”,以便在禁用CORS的情况下获取资源。 我不明白为什么我会得到这个错误。 以下是从Google Chrome开发者工具中提取的相关请求和响应细节 推荐人策略:严格的-原产地-当-跨