使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

S3 Block Public Access + Bucket Policy - Access Denied

0

We are running an S3 Bucket with a Cloudfront In front of it. Recently we've turned enabled block public access (All four options enabled under Individual Block Public Access settings for this bucket, but now our Fargate ECS instance is getting Access Denied doing a s3client.putobject. Images are able to be pulled through the Cloudfront URLs, s3 object are blocked, but we are unable to upload any new images from our ECS instances. How do we allow the ECS task instances to putObject

A (wide) bucket policy was added:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<aws-account>:role/<ecs-task-role>",
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI>"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

The ecs-task-role has AmazonS3FullAccess. We can manually upload to console.

Removing the following two options from block public access does again allow us to put, but then the s3 object urls are public which we want to be non-accessible.

  • Block public access to buckets and objects granted through new access control lists (ACLs)
  • Block public access to buckets and objects granted through any access control lists (ACLs)
主題
儲存空間容器安全性、身分識別與合規
標籤
Amazon Simple Storage ServiceAmazon Elastic Container ServiceIAM 政策
語言
English
AWS-User-5959212
已提問 2 年前檢視次數 1277 次
2 個答案
0

One possible solution would be to have Fargate tasks deployed in a VPC, and then configure an S3 endpoint in that VPC. This approach is detailed in the Fargate task networking documentation. You can also reference the Amazon ECR interface VPC endpoints (AWS PrivateLink) documentation.

Kevin
已回答 2 年前
0
  1. It is recommended to go to CloudTrail and see if you can identify the API call made by the ECS task and see which one is denied, and sometimes the CloudTrail entry will give you more specific reason of the denial;
  2. Are you encrypting any S3 contents?
  3. Do you have any ACLs set?
  4. Lastly you might know this and it might be your usecase but in putting the CloudFront OAI in the policy effectively allow any random user can view, delete and update the files and even bucket in your S3, which I rarely recommend.
Jason_S
已回答 2 年前
profile picture
專家
Giovanni Lauria
已審閱 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容