为ssm资源数据同步创建S3桶策略,该策略允许新帐户添加访问而无需手动添加语句
为ssm资源数据同步创建S3桶策略,该策略允许新帐户添加访问而无需手动添加语句
提问于 2022-05-12 02:13:32
我试图部署一个SSM库存收集和资源数据同步通过云格式在15个帐户。我可以通过在中央s3桶中添加一条语句来手动添加每个帐户,以便进行适当的访问。我想知道是否有一种方法可以创建一个策略,允许新创建的AWS帐户在不向s3桶策略中添加语句的情况下拥有正确的访问权限。下面是我所关注的文件。我使用这个方法来添加下面的每个帐户
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],在https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html文档中,我看到您可以为AWS组织中定义的帐户创建资源数据同步。但是,这仍然不能完成授予任何新帐户的模板被部署,访问将被授予。
为AWS组织中定义的帐户创建库存资源数据同步
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}我玩弄了一些政策,但似乎行不通。
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}回答 1
Stack Overflow用户
发布于 2022-07-16 00:26:58
试试这个:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72209406
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号