问题描述
我有一个存储桶策略(在下面列出),当从特定VPC以外的任何位置访问S3存储桶时,该策略应被阻止.我在VPC中启动了EC2实例,测试并确认S3访问正常.现在,当我通过Web控制台访问同一S3存储桶时,收到错误-访问被拒绝"消息.
I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message.
这是否还意味着在通过Web控制台与S3交互时,aws:SourceVpc条件键也存在于请求上下文中?
我的假设是它存在于请求上下文中,否则策略声明将失败,以致该声明的效果"不适用,因为StringNotEquals中没有添加"Ifexists"-问这个问题,因为我找不到AWS文档中的此信息.即使在StringNotEquals中添加"Ifexists"后,结果也一样-有人可以确认吗?
My assumption is that it is present in the request context as otherwise policy statement would have failed such that the statement's "Effect" does not apply because there is no "Ifexists" added to StringNotEquals - Asking this question as I could not find this information in AWS Documentation. Even after adding "Ifexists" to StringNotEquals, results are same - can someone confirm?
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-0xy915sdfedb5667"
}
}
}
]
}
推荐答案
是的,您是正确的.我测试了以下存储桶策略,但拒绝了来自AWS S3控制台的操作.
Yes, you are right. I tested the following bucket policy, the operations from the AWS S3 console are denied.
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringLike": {
"aws:sourceVpc": "vpc-30*"
}
}
}
]
}
这意味着请求中肯定存在一些vpc ID.每个帐户可能相同,也可能不同.
It means there is definitely some vpc id present in the request. It might be same for each account or it could be different.
这篇关于通过Web控制台与S3交互时,请求上下文中是否存在aws:SourceVpc条件键?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!