S3 http access forbidden error

0

I have SSM document that accessing an S3 bucket using HTTPS. The bucket contains an installer . I can access the installer using below S3 policy, but it is open to public. Is there a way to restrict it to only in my Organization account?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::Bucket-Name/*"
        }
    ]
}

I tried to add a condition but I got 403 Forbidden error.

			"Condition": {
			    "StringEquals": {
				    "aws:PrincipalOrgID": ["o-xxxxxxxx"] 
				}  
			}

Any suggestions?

gefragt vor 10 Monaten187 Aufrufe
1 Antwort
0

Hi, it would be better to create an automation service role for SSM and include access to the S3 bucket in it. You can then get rid of the S3 bucket policy if its only purpose is SSM access

See https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

profile pictureAWS
EXPERTE
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen