了解IAM策略

Question

我最近在使用Code-Build时遇到了一个带有IAM策略的problem。我正在尝试理解以下两个策略之间的区别，并检查使用版本2而不是版本1是否有任何安全隐患。

版本1不能工作，所以我决定用版本2，但是为什么版本2能工作，为什么版本1不能工作呢？

版本1仅提供对存储桶资源的访问权限，并允许对S3存储桶对象进行读写。

但是版本2提供了访问所有S3存储桶的权限，不是吗？这会被认为是安全漏洞吗？

版本1

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        }
    ]
}

版本2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
    ]
}

Answer 1

我已经通过授予对特定S3存储桶的受限访问权限来复制该场景。

块1:允许所需的亚马逊S3控制台权限此处我已授予CodePipeline列出亚马逊服务帐户中所有存储桶的权限。

块2:允许列出根文件夹中的对象此处我的S3存储桶名称是"aws-codestar-us-east-1-493865049436-larvel-test-pipe“

但令我惊讶的是，当我遵循从创建CodePipeline到从相同的管道控制台本身创建构建的步骤时，我得到了与您的版本1相同的策略，并且它也执行了。然而，作为下一步，我按照下面的策略为S3中的存储桶提供了特定的权限，并且它已经起作用了。因此，在您的版本2中，不是授予对资源资源的所有权限“："*”您可以将权限限制为仅特定的存储桶，如以下示例策略中所述

{
   "Version": "2012-10-17",
   "Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-us-east-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*" 
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]
}