如何通过 SCP 保护 AWS 标记的资源？

Posted 2023-03-28

【中文标题】如何通过 SCP 保护 AWS 标记的资源？

【英文标题】：How to protect AWS tagged resources via SCP?

【发布时间】：2021-12-21 13:34:22

【问题描述】：

我有一些敏感的资产（Lambda、S3 存储桶、IAM...）我想保护以防有人试图擦除存储桶策略、删除函数或对这些资源造成任何损害。它们都被标记为 >:>。问题是我想在组织级别执行此操作，因为我有多个 AWS 账户。我在 SCP 中使用此政策。

  "Version": "2012-10-17",
  "Statement": [
    
      "Sid": "DenyActionsOnTaggedResources",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicyForObjectLambda",
        "s3:PutBucketPublicAccessBlock",
        "s3:DeleteAccessPointPolicyForObjectLambda",
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:DeleteAccessPointPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicy",
        "s3:BypassGovernanceRetention",
        "lambda:DeleteFunction",
        "lambda:DeleteCodeSigningConfig",
        "lambda:DeleteFunctionCodeSigningConfig",
        "lambda:AddLayerVersionPermission",
        "lambda:RemoveLayerVersionPermission",
        "lambda:EnableReplication",
        "lambda:AddPermission",
        "lambda:DisableReplication",
        "lambda:DeleteLayerVersion",
        "lambda:DeleteFunctionEventInvokeConfig",
        "lambda:PublishVersion",
        "lambda:CreateAlias",
        "lambda:RemovePermission",
        "iam:DeleteRole",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePermissionsBoundary",
        "iam:CreatePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "*"
      ],
      "Condition": 
        "StringEquals": 
          "aws:ResourceTag/<<MY_KEY>>": "<<MY_VALUE>>"
        ,
        "StringNotEquals": 
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/<<MY_ROLE>>"
          ]
        
      
    
  ]

为了测试，每当我放置一个不是我角色的角色时，我仍然可以修改资源。我的错在哪里？

【问题讨论】：

为了测试，每当我放置一个不是我角色的角色时，我仍然可以修改资源。 很不清楚 - 你是什么意思？ ?您使用的角色的名称是什么？

您正在测试哪些特定的 API 调用？某些调用可能不接受 ResourceTag 作为条件。

【参考方案1】：

你能把这个StringNotEquals修改成StringNotLike然后试试吗？当您在 Condition 中使用通配符 (*) 时，StringNotEquals 将不起作用。政策的其余部分看起来不错。

String condition operators

我还建议使用访问分析器来验证策略。这将在构建策略时捕获类似的错误。见Access Analyzer。

【参考方案2】：

事实证明@John Rotenstein 是对的。 S3 API 调用不支持将 ResourceTag 作为条件。

由于这是工作中的紧急需求，我最终在 AWS 开设了一个支持案例，他们回复了这个：

I understand you trying to restrict actions on an S3 bucket using the ResourceTag condition key.

Unfortunately, you cannot currently use the AWS:ResourceTag condition key to control access to the s3 bucket, please refer the following documentation[1]. In the documentation, you can see that only the resource type that currently supports the aws:ResourceTag condition key is "storagelensconfiguration". There is an existing feature request with the s3 service team to add support for the AWS:ResourceTag condition key which I have +1'd on your behalf.  I am unable to provide an ETA for when the feature might get released since I have no visibility over the processes of the service team. However, all new feature announcements will be made available on our What's new with AWS page[2].

When it comes to controlling access to s3 with the use of tags, we do have the examples in the following AWS Documentation[3] which uses the tags applied to specific objects to control access. It makes use of the condition keys, s3:ExistingObjectTag/<tag-key>, s3:RequestObjectTagKeys and s3:RequestObjectTag/<tag-key> to control access to certain S3 actions however it requires the individual objects to be tagged, it will not work with tags at the bucket level. I would suggest reading through the above linked documentation[3] and see if the solution described in it will meet your organizations needs.

I hope you find the above information helpful, please let me know if you have any additional questions.

[1] Actions, resources, and condition keys for Amazon S3 - https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
[2] What's New with AWS? - https://aws.amazon.com/new/
[3] Tagging and access control policies - https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html