S3 http access forbidden error

0

I have SSM document that accessing an S3 bucket using HTTPS. The bucket contains an installer . I can access the installer using below S3 policy, but it is open to public. Is there a way to restrict it to only in my Organization account?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::Bucket-Name/*"
        }
    ]
}

I tried to add a condition but I got 403 Forbidden error.

			"Condition": {
			    "StringEquals": {
				    "aws:PrincipalOrgID": ["o-xxxxxxxx"] 
				}  
			}

Any suggestions?

已提問 10 個月前檢視次數 187 次
1 個回答
0

Hi, it would be better to create an automation service role for SSM and include access to the S3 bucket in it. You can then get rid of the S3 bucket policy if its only purpose is SSM access

See https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

profile pictureAWS
專家
已回答 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南