- 最新
- 最多得票
- 最多評論
Hello.
Since CloudFront is using the OAC security framework, I am a little uncertain how to do this. The refresh tokens associated with IAM Identity Center SSO seems problematic unless I automate the refresh of the tokens too.
If the authentication information is to be used for regular batches, etc., I think it is a good idea to use the access key and secret access key created from the IAM user.
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#AccessControlMethods
You might have specific use cases that require long-term credentials with IAM users in AWS. You can use IAM to create these IAM users in your AWS account, and use IAM to manage their permissions. Some of the use cases include the following:
- Workloads that can't use IAM roles
- Third-party AWS clients that require programmatic access through access keys
- Service-specific credentials for AWS CodeCommit or Amazon Keyspaces
- AWS IAM Identity Center is not available for your account and you have no other identity provider
As a best practice in scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you update access keys when needed. For more information, see Updating access keys.
I can't find any relevant info on how I would extend the permissions of the bucket and whether the best place to do it is via OAC (which seems immutable) or the bucket itself, currently only allowing s3:GetObject action for the Cloudfront service.
You can restrict the ability of only specific IAM users to delete and upload objects using the bucket policy for your S3 bucket.
For example, if you set the following bucket policy, IAM user "userA" will be allowed "s3:PutObject" and "s3:DeleteObject".
Please allow "s3:PutObject" and "s3:DeleteObject" in the IAM policy of IAM user "userA".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid1",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::example-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:username": "userA"
}
}
}
]
}
If you want to use it together with the bucket policy set with OAC, I think you should do the following.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipalReadOnly",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
},
{
"Sid": "sid1",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::example-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:username": "userA"
}
}
}
]
}
Spot on, that is exactly the advice I was looking for. I was already going down that path and had created an IAM user with access key and secret access key, but was hoping that I could get an endorsement on this approach.
As for the IAM user itself, I have granted it the following permissions policy (AmazonS3FullAccess)
That makes sense, so replace the AmazonS3FullAccess policy with an inline policy that looks like what you cited above?
Thank you, I will look into the latter suggestion. For now I have the inline policy in place, restricting access to two separate folder objects, but I think your suggestion might be more robust.
I got around to implementing this and am hitting an "implicit deny" error. My user is an IAM user and I am using access key with secret access key. Any idea why that might be happening?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amazon-cloudfront-secure-static-site--s3bucketroot-xxxxxxxxxxxx/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxxxxxx:distribution/XXXXXXXXXXXXXX"
}
}
},
{
"Sid": "DenyAllButMunkiUser",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::amazon-cloudfront-secure-static-site--s3bucketroot-XXXXXXXXXXXX/*",
"Condition": {
"StringNotEquals": {
"aws:username": "myuser"
}
}
}
]
}
Here is the inline policy for the user "myuser"
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::amazon-cloudfront-secure-static-site--s3bucketroot-xxxxxxxxxxxx/*",
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"folder1/",
"folder2/"
],
"s3:delimiter": [
"/"
]
}
}
}
]
}
相關內容
- 已提問 6 個月前
The "AmazonS3FullAccess" policy has all S3 operation privileges, so if possible, I recommend setting a custom IAM policy that focuses only on the necessary operations. For example, if you are using the AWS CLI command "aws s3 sync", you will be able to execute the command if the following IAM policy is set.
You can set an inline policy, or if there is a possibility that other IAM users or IAM roles will use the same IAM policy, you can create a custom IAM policy and set it for the IAM user. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-start