删除 CloudFront OAI 中断桶策略

huangapple go评论74阅读模式
英文:

Delete CloudFront OAI break bucket policy

问题

如果我有一个使用以下策略的存储桶:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "EB73SOC545AIK",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EB73SOC545AIK"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
        }
    ]
}

并且我删除了使用 OAI EB73SOC545AIK 的 CloudFront 分发,会自动使用以下值更新我的存储桶策略:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "EB73SOC545AIK",
            "Effect": "Allow",
            "Principal": {
                "AWS": "AIDAIHJ7YKCENOC6XHCIQ"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
        }
    ]
}

这是一个格式错误的策略。

这很烦人,因为它在你察觉不到的情况下发生,以后如果你使用 boto3 添加一个新语句(而不更改之前的语句),例如像这样:

client = boto3.client('s3')
pol = client.get_bucket_policy(Bucket=bucket)['Policy']
pol = json.loads(pol)
pol['Statement'].append(...)
client.put_bucket_policy(
    Bucket=bucket,
    Policy=json.dumps(bucket_policy)
)

你会收到一个 MalformedPolicy 错误,而你浪费了很多时间检查你的新语句,而真正的问题是其他语句。

如何避免这种情况?

英文:

If I have a bucket with this policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "EB73SOC545AIK",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EB73SOC545AIK"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
        }
    ]
}

And I delete the CloudFront distribution that use OAI EB73SOC545AIK something automatically update my bucket policy with this value

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "EB73SOC545AIK",
            "Effect": "Allow",
            "Principal": {
                "AWS": "AIDAIHJ7YKCENOC6XHCIQ"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
        }
    ]
}

It is a malformed policy.

This is very annoying because happened without you noticed, and later if you use boto3 to append a new statement (without change the previews one) for example like this:

client = boto3.client('s3')
pol = client.get_bucket_policy(Bucket=bucket)['Policy']
pol = json.loads(pol)
pol['Statement'].append(....)
client.put_bucket_policy(
    Bucket=bucket,
    Policy=json.dumps(bucket_policy)
)

you get a MalformedPolicy error and you waste a lot of time checking your new statement when the real problem is other statement.

How can avoid this?

答案1

得分: 1

IAM 在引用主体时始终使用其内部唯一标识符,当您在策略中放置一个角色时,IAM 将存储的不是角色名称或 arn,而是唯一标识符,类似于 AIDAIHJ7YKCENOC6XHCIQ。IAM 会检查策略中的标识符是否实际存在,而在您的情况下是不存在的。因此,策略被拒绝。

这样做的目的是,如果您授予用户 Lukas 权限,然后 Lukas 离开您的公司,您删除了用户,稍后新的 Lukas 加入,您创建了一个新的用户 Lukas - 那么新的 Lukas 不应具有最初授予旧 Lukas 的权限。但是,如果只检查/比较名称/arn而不是内部标识符,这将发生。

解决方案:不要使用 OAI,而是添加一个条件检查 CloudFront 分发(无论如何都是最佳做法):https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3

英文:

IAM always uses its internal unique identifiers when referencing principals, when you put a role in the policy IAM will store not the role name or arn but the unique identifier, similar to AIDAIHJ7YKCENOC6XHCIQ. And IAM checks if the identifier in the policy actually exists, which it does not in your case. Therefore the policy is rejected.

The purpose of this is that if you grant permissions to user Lukas, then Lukas leaves your company, you delete the user, later a new Lukas joins, you create a new user Lukas - then the new Lukas should not have permissions that were initially granted to the old Lukas. But that would happen if you only checked / compared the name / arn and not the internal identifier.

Solution: do not use an OAI but instead add a condition checking the CloudFront distribution (best practice anyway): https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3

huangapple
  • 本文由 发表于 2023年3月15日 20:40:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/75744843.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定