使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Using root account in elb S3 policy

0

Hi, In the documentation to enable ELB logs, it is stated that I should add the following policy to my S3 bucket :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}

I'm a bit confused by the "Principal" field. It seems to allow the root user of a global elb account. Who does this policy actually allow to access the bucket ? Does that mean anyone can send their elb logs to my bucket provided they know the arn ? Or is it only for my aws account ?

主題
安全性、身分識別與合規儲存空間
標籤
AWS Identity and Access ManagementIAM 政策Amazon S3 存取授權
語言
English
Alexf
已提問 4 個月前檢視次數 178 次
1 個回答
1

You should replace elb-account-id with your AWS Account ID (twelve digits).

This will allow the root of YOUR ACCOUNT, and only, to perform the action in the S3 bucket defined by the ARN. The root is the Principal that collects the data and you need to specify it in this resource-based policy.

profile picture
Ibrahim Cesar
已回答 4 個月前
  • Alexf
    4 個月前

    Thanks for your answer. The documentation says the following though : Replace elb-account-id with the ID of the AWS account for Elastic Load Balancing for your Region And then lists all the IDs for the different regions. Why ?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容