英文:
Delete CloudFront OAI break bucket policy
问题
如果我有一个使用以下策略的存储桶:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "EB73SOC545AIK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EB73SOC545AIK"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
}
]
}
并且我删除了使用 OAI EB73SOC545AIK 的 CloudFront 分发,会自动使用以下值更新我的存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "EB73SOC545AIK",
"Effect": "Allow",
"Principal": {
"AWS": "AIDAIHJ7YKCENOC6XHCIQ"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
}
]
}
这是一个格式错误的策略。
这很烦人,因为它在你察觉不到的情况下发生,以后如果你使用 boto3 添加一个新语句(而不更改之前的语句),例如像这样:
client = boto3.client('s3')
pol = client.get_bucket_policy(Bucket=bucket)['Policy']
pol = json.loads(pol)
pol['Statement'].append(...)
client.put_bucket_policy(
Bucket=bucket,
Policy=json.dumps(bucket_policy)
)
你会收到一个 MalformedPolicy 错误,而你浪费了很多时间检查你的新语句,而真正的问题是其他语句。
如何避免这种情况?
英文:
If I have a bucket with this policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "EB73SOC545AIK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EB73SOC545AIK"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
}
]
}
And I delete the CloudFront distribution that use OAI EB73SOC545AIK something automatically update my bucket policy with this value
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "EB73SOC545AIK",
"Effect": "Allow",
"Principal": {
"AWS": "AIDAIHJ7YKCENOC6XHCIQ"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket-app-dev-bucket/*"
}
]
}
It is a malformed policy.
This is very annoying because happened without you noticed, and later if you use boto3 to append a new statement (without change the previews one) for example like this:
client = boto3.client('s3')
pol = client.get_bucket_policy(Bucket=bucket)['Policy']
pol = json.loads(pol)
pol['Statement'].append(....)
client.put_bucket_policy(
Bucket=bucket,
Policy=json.dumps(bucket_policy)
)
you get a MalformedPolicy error and you waste a lot of time checking your new statement when the real problem is other statement.
How can avoid this?
答案1
得分: 1
IAM 在引用主体时始终使用其内部唯一标识符,当您在策略中放置一个角色时,IAM 将存储的不是角色名称或 arn,而是唯一标识符,类似于 AIDAIHJ7YKCENOC6XHCIQ。IAM 会检查策略中的标识符是否实际存在,而在您的情况下是不存在的。因此,策略被拒绝。
这样做的目的是,如果您授予用户 Lukas 权限,然后 Lukas 离开您的公司,您删除了用户,稍后新的 Lukas 加入,您创建了一个新的用户 Lukas - 那么新的 Lukas 不应具有最初授予旧 Lukas 的权限。但是,如果只检查/比较名称/arn而不是内部标识符,这将发生。
解决方案:不要使用 OAI,而是添加一个条件检查 CloudFront 分发(无论如何都是最佳做法):https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3
英文:
IAM always uses its internal unique identifiers when referencing principals, when you put a role in the policy IAM will store not the role name or arn but the unique identifier, similar to AIDAIHJ7YKCENOC6XHCIQ. And IAM checks if the identifier in the policy actually exists, which it does not in your case. Therefore the policy is rejected.
The purpose of this is that if you grant permissions to user Lukas, then Lukas leaves your company, you delete the user, later a new Lukas joins, you create a new user Lukas - then the new Lukas should not have permissions that were initially granted to the old Lukas. But that would happen if you only checked / compared the name / arn and not the internal identifier.
Solution: do not use an OAI but instead add a condition checking the CloudFront distribution (best practice anyway): https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论