使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Using root account in elb S3 policy

0

Hi, In the documentation to enable ELB logs, it is stated that I should add the following policy to my S3 bucket :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}

I'm a bit confused by the "Principal" field. It seems to allow the root user of a global elb account. Who does this policy actually allow to access the bucket ? Does that mean anyone can send their elb logs to my bucket provided they know the arn ? Or is it only for my aws account ?

主题
安全、身份和合规性存储
标签
AWS 身份和访问权限管理IAM 策略亚马逊 S3 访问授权
语言
English
Alexf
已提问 4 个月前178 查看次数
1 回答
1

You should replace elb-account-id with your AWS Account ID (twelve digits).

This will allow the root of YOUR ACCOUNT, and only, to perform the action in the S3 bucket defined by the ARN. The root is the Principal that collects the data and you need to specify it in this resource-based policy.

profile picture
Ibrahim Cesar
已回答 4 个月前
  • Alexf
    4 个月前

    Thanks for your answer. The documentation says the following though : Replace elb-account-id with the ID of the AWS account for Elastic Load Balancing for your Region And then lists all the IDs for the different regions. Why ?

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容