S3 http access forbidden error

0

I have SSM document that accessing an S3 bucket using HTTPS. The bucket contains an installer . I can access the installer using below S3 policy, but it is open to public. Is there a way to restrict it to only in my Organization account?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::Bucket-Name/*"
        }
    ]
}

I tried to add a condition but I got 403 Forbidden error.

			"Condition": {
			    "StringEquals": {
				    "aws:PrincipalOrgID": ["o-xxxxxxxx"] 
				}  
			}

Any suggestions?

demandé il y a 10 mois187 vues
1 réponse
0

Hi, it would be better to create an automation service role for SSM and include access to the S3 bucket in it. You can then get rid of the S3 bucket policy if its only purpose is SSM access

See https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

profile pictureAWS
EXPERT
répondu il y a 10 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions