如何通过 SCP 保护 AWS 标记的资源?

【问题标题】:How to protect AWS tagged resources via SCP?如何通过 SCP 保护 AWS 标记的资源?
【发布时间】:2021-12-21 13:34:22
【问题描述】:

我有一些敏感的资产(Lambda、S3 存储桶、IAM...)我想保护以防有人试图擦除存储桶策略、删除函数或对这些资源造成任何损害。它们都被标记为 >:>。问题是我想在组织级别执行此操作,因为我有多个 AWS 账户。我在 SCP 中使用此政策。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyActionsOnTaggedResources",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicyForObjectLambda",
        "s3:PutBucketPublicAccessBlock",
        "s3:DeleteAccessPointPolicyForObjectLambda",
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:DeleteAccessPointPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicy",
        "s3:BypassGovernanceRetention",
        "lambda:DeleteFunction",
        "lambda:DeleteCodeSigningConfig",
        "lambda:DeleteFunctionCodeSigningConfig",
        "lambda:AddLayerVersionPermission",
        "lambda:RemoveLayerVersionPermission",
        "lambda:EnableReplication",
        "lambda:AddPermission",
        "lambda:DisableReplication",
        "lambda:DeleteLayerVersion",
        "lambda:DeleteFunctionEventInvokeConfig",
        "lambda:PublishVersion",
        "lambda:CreateAlias",
        "lambda:RemovePermission",
        "iam:DeleteRole",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePermissionsBoundary",
        "iam:CreatePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/<<MY_KEY>>": "<<MY_VALUE>>"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/<<MY_ROLE>>"
          ]
        }
      }
    }
  ]
}

为了测试,每当我放置一个不是我角色的角色时,我仍然可以修改资源。我的错在哪里?

【问题讨论】:

  • 为了测试,每当我放置一个不是我角色的角色时,我仍然可以修改资源。 很不清楚 - 你是什么意思? ?您使用的角色的名称是什么?
  • 您正在测试哪些特定的 API 调用?某些调用可能不接受 ResourceTag 作为条件。

标签: amazon-web-services amazon-s3 aws-lambda amazon-iam


【解决方案1】:

你能把这个StringNotEquals修改成StringNotLike然后试试吗?当您在 Condition 中使用通配符 (*) 时,StringNotEquals 将不起作用。政策的其余部分看起来不错。

String condition operators

我还建议使用访问分析器来验证策略。这将在构建策略时捕获类似的错误。见Access Analyzer

【讨论】:

    【解决方案2】:

    事实证明@John Rotenstein 是对的。 S3 API 调用不支持将 ResourceTag 作为条件。

    由于这是工作中的紧急需求,我最终在 AWS 开设了一个支持案例,他们回复了这个:

    I understand you trying to restrict actions on an S3 bucket using the ResourceTag condition key.

Unfortunately, you cannot currently use the AWS:ResourceTag condition key to control access to the s3 bucket, please refer the following documentation[1]. In the documentation, you can see that only the resource type that currently supports the aws:ResourceTag condition key is "storagelensconfiguration". There is an existing feature request with the s3 service team to add support for the AWS:ResourceTag condition key which I have +1'd on your behalf.  I am unable to provide an ETA for when the feature might get released since I have no visibility over the processes of the service team. However, all new feature announcements will be made available on our What's new with AWS page[2].

When it comes to controlling access to s3 with the use of tags, we do have the examples in the following AWS Documentation[3] which uses the tags applied to specific objects to control access. It makes use of the condition keys, s3:ExistingObjectTag/<tag-key>, s3:RequestObjectTagKeys and s3:RequestObjectTag/<tag-key> to control access to certain S3 actions however it requires the individual objects to be tagged, it will not work with tags at the bucket level. I would suggest reading through the above linked documentation[3] and see if the solution described in it will meet your organizations needs.

I hope you find the above information helpful, please let me know if you have any additional questions.

[1] Actions, resources, and condition keys for Amazon S3 - https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
[2] What's New with AWS? - https://aws.amazon.com/new/
[3] Tagging and access control policies - https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2015-08-10
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2015-11-29
      • 2021-02-15
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode