본문 바로가기
[AWS-DR]/IAM

[중요][AWS] IAM - S3 권한 역할 생성 !!

by METAVERSE STORY 2024. 6. 14.
반응형

 
 
 

 
 

  • EC2 삽입할 role 생성 (ex. ROLE-EC2-!!!)

      : 리부팅해도 지속 사용 가능
      : S3 Full Access  참고
 
 
 

## 커스텀마이징 버킷정책 적용

 
==================== S3버킷정책 =====================================

   - 다음 예제는 람다 함수에 example-my-org 라는 특정 S3 버킷에 대해 객체를 다운로드, 
     업로드, 삭제하는 권한을 부여한다.
{
  "Version": "2012-10-17",
  "Statement": [
   {
  "Effect": "Allow",
  "Action": [
    "s3:DeleteObject",
    "s3:GetObject",
    "s3:PutObject",
    "s3:PutObjectAcl"  
  ],
  "Resource": [
    "arn:aws:s3:::example-my-org/*"
  ]
}
  ]
}

 

================================================================
 
 
           #object storage 구성 시 필요 권한 리스트 :
           s3:ListAllMyBuckets
           s3:ListBucket
           s3:GetBucketLocation
           s3:GetObject
           s3:PutObject
           s3:GetObjectTagging
          s3:GetObjectAcl
          s3:PutObjectAcl
          s3:PutObjectTagging
           s3:RestoreObject
           s3:PutObjectRetention
           s3:BypassGovernanceRetention

## 모든 정책은 TAB으로만 적용 (스페이스 X) ==> 점표시 있으면 오류!!
- 복사하고 다시 TAB으로 적용할 것!!

 

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectTagging",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:RestoreObject",
                "s3:PutObjectRetention",
                "s3:BypassGovernanceRetention"
    ],
"Resource": [
                "arn:aws:s3:::example-my-org/*"
    ]
}
]
}

 

 

 

 

 

 


 ================== SLAVE ======================================
 


"ec2:CreateTags"

"ec2:DescribeImportImageTasks"

"ec2:ImportImage"

"ec2:DescribeImages"

"iam:ListRolePolicies"

"iam:ListRoles"

"iam:GetRole"

"iam:GetRolePolicy"

"iam:CreateRole"

"iam:PutRolePolicy


 

 

 

 

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::example-my-org/*"
]
},
        {
            "Action": [
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:CreateRole",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:*"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeImportImageTasks",
                "ec2:ImportImage",
                "ec2:DescribeImages"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2::*:*"
        }
]
}


## 하기 내용과 비교 할것!!


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::example-my-org/*"
]
},
{
"Action": [
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreateRole",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateTags",
"ec2:DescribeImportImageTasks",
"ec2:ImportImage",
"ec2:DescribeImages"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

 

 

=============== 최종 =====================

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectTagging",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:RestoreObject",
                "s3:PutObjectRetention",
                "s3:BypassGovernanceRetention"
            ],
            "Resource": [
                "arn:aws:s3:::example-my-org/*"
            ]
        },
        {
            "Action": [
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:CreateRole",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeImportImageTasks",
                "ec2:ImportImage",
                "ec2:DescribeImages"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

 

 

 

 

반응형

댓글