AWS 访问策略评估不允许放置存储桶策略

Posted 2023-04-13

【中文标题】AWS 访问策略评估不允许放置存储桶策略

【英文标题】：AWS access policy evaluation not allowing to put bucket policy

【发布时间】：2021-02-05 09:52:01

【问题描述】：

我为 IAM 用户附加了以下策略：

    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutAnalyticsConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:CreateBucket",
                "s3:ReplicateObject",
                "s3:GetObjectAcl",
                "s3:DeleteBucketWebsite",
                "s3:PutLifecycleConfiguration",
                "s3:GetObjectVersionAcl",
                "s3:PutBucketAcl",
                "s3:PutObjectTagging",
                "s3:DeleteObject",
                "s3:DeleteObjectTagging",
                "s3:GetBucketWebsite",
                "s3:PutReplicationConfiguration",
                "s3:DeleteObjectVersionTagging",
                "s3:GetBucketNotification",
                "s3:PutBucketCORS",
                "s3:DeleteBucketPolicy",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutBucketNotification",
                "s3:PutBucketLogging",
                "s3:PutObjectVersionAcl",
                "s3:GetAnalyticsConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetLifecycleConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:GetBucketTagging",
                "s3:PutAccelerateConfiguration",
                "s3:DeleteObjectVersion",
                "s3:GetBucketLogging",
                "s3:ListBucketVersions",
                "s3:ReplicateTags",
                "s3:RestoreObject",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketPolicy",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "s3:GetObjectVersionTorrent",
                "s3:AbortMultipartUpload",
                "s3:PutBucketTagging",
                "s3:GetBucketRequestPayment",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:DeleteBucket",
                "s3:PutBucketVersioning",
                "s3:PutObjectAcl",
                "s3:ListBucketMultipartUploads",
                "s3:PutMetricsConfiguration",
                "s3:PutObjectVersionTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:PutInventoryConfiguration",
                "s3:GetObjectTorrent",
                "s3:ObjectOwnerOverrideToBucketOwner",
                "s3:PutBucketWebsite",
                "s3:PutBucketRequestPayment",
                "s3:GetBucketCORS",
                "s3:PutBucketPolicy",
                "s3:GetBucketLocation",
                "s3:ReplicateDelete",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::xyz123-mycloud-dump",
                "arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*"
            ]
        ,
        
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        
    ]

现在使用附加了上述策略的 IAM 用户的访问凭证，我正在尝试运行以下命令：

s3api put-bucket-policy --bucket xyz123-mycloud-dump --policy file://policy.json

policy.json 文件的内容在哪里：

    "Statement": [
      
          "Effect": "Allow",
          "Principal": "arn:aws:iam::<the_account_number_to_which_the_user_belongs>:user/<the_IAM_user_name>",
          "Action": "s3:*",
          "Resource": ["arn:aws:s3:::xyz123-mycloud-dump/SAMPLE/*", "arn:aws:s3:::xyz123-mycloud-dump"]
      
    ]

我得到一个

调用 PutBucketPolicy 操作时发生错误（AccessDenied）：访问被拒绝

现在我想知道为什么？

用户的政策声明允许PutBucketPolicy 对资源：

xyz123-mycloud-dump,
xyz123-mycloud-dump/SAMPLE/

这就是我在上面的政策中尝试做的事情。那为什么拒绝访问呢？

【参考方案1】：

如果您在使用 policy.json 发布时的政策

我试过它给了我错误：

    "Version":"2012-10-17",
    "Id": "randome",
    "Statement":[
      
        "Effect":"Allow",
        "Principal": "arn:aws:iam::1234567890:user/username",
        "Action": "s3:*",
        "Resource":[
            "arn:aws:s3:::mybucket",
            "arn:aws:s3:::mybucket/random/*"
        ]
      
    ]
  

$aws s3api put-bucket-policy --bucket mybucket --policy file://x.json

An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid policy syntax.

当我按照文档建议使用正确的政策时；

Bucket Policy Examples

    "Version":"2012-10-17",
    "Id": "randome",
    "Statement":[
      
        "Effect":"Allow",
       "Principal": 
          "AWS": "arn:aws:iam::1234567890:user/username"
        ,
        "Action": "s3:*",
        "Resource":[
            "arn:aws:s3:::mybucket",
            "arn:aws:s3:::mybucket/random/*"
        ]
      
    ]
  

有效

$ aws s3api put-bucket-policy --bucket mybucket --policy file://x.json
$ echo $?
0

【讨论】：

上述政策是不是缺少一个结束“？@samtoddler

@qre0ct 对不起，这是复制粘贴问题。更新

我将Principal 更改为看起来像 "AWS": "arn:aws:iam::<the_account_number_to_which_the_user_belongs>:user/<the_IAM_user_name>", 我还添加了version 和id 属性。结果没有什么不同。

@qre0ct 检查您的凭据是否是您希望他们使用的凭据sts get-caller-identity

@samtodler 凭据是我需要的。我只是想了解为什么它不起作用，什么时候看起来应该。

【参考方案2】：

来自here：

要解决拒绝访问错误，请检查以下内容：

您的 IAM 身份同时拥有 s3:GetBucketPolicy 和 s3:PutBucketPolicy 的权限。 存储桶策略不会拒绝您的 IAM 身份 s3:GetBucketPolicy 或 s3:PutBucketPolicy 的权限。 启用 Amazon S3 阻止公共访问后，您对存储桶策略的更改不会授予公共访问权限。 AWS Organizations 服务控制策略允许访问 Amazon S3。 如果存储桶策略拒绝所有人访问 s3:GetBucketPolicy、s3:PutBucketPolicy 或所有 Amazon S3 操作 (s3:*)，则删除存储桶策略。

检查您是否有您不知道的活动组织级别 SCP，或者是否启用了阻止公共访问。

【讨论】：

已启用阻止公共访问。但我不认为这是政策试图提供的公共访问权限。该策略只是尝试向该特定 IAM 用户授予 * 访问权限。其余的点都照顾好了。