使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

S3 http access forbidden error

0

I have SSM document that accessing an S3 bucket using HTTPS. The bucket contains an installer . I can access the installer using below S3 policy, but it is open to public. Is there a way to restrict it to only in my Organization account?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::Bucket-Name/*"
        }
    ]
}

I tried to add a condition but I got 403 Forbidden error.

			"Condition": {
			    "StringEquals": {
				    "aws:PrincipalOrgID": ["o-xxxxxxxx"] 
				}  
			}

Any suggestions?

主题
存储
标签
亚马逊简单存储服务 (S3)
语言
English
rePost-User-4804538
已提问 1 年前201 查看次数
1 回答
0

Hi, it would be better to create an automation service role for SSM and include access to the S3 bucket in it. You can then get rid of the S3 bucket policy if its only purpose is SSM access

See https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

profile pictureAWS
专家
Didier_Durand
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容