VPC エンドポイントポリシーで S3 アクセスポイントへのアクセスを許可する場合、Resource 句に S3 アクセスポイントだけでなく、S3 バケットも含める必要がある。
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", ★ オブジェクトの ls に必要 "arn:aws:s3:::system1-if-files/*", ★ファイルの Get/Put に必要 "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", ★オブジェクトの ls に必要 "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*" ★ファイルの Get/Put に必要 ] } ] }
検証結果
# | テストケース | Get | Put | ls |
---|---|---|---|---|
1 | arn:aws:s3:::system1-if-files なし | ○ | ○ | ✕ |
2 | arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし | ○ | ○ | ✕ |
3 | arn:aws:s3:::system1-if-files/* なし | ✕ | ✕ | ○ |
4 | arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし | ✕ | ✕ | ○ |
5 | 全部入り | ○ | ○ | ○ |
6 | 全部入りのアクセスポイント/* バージョン | ○ | ○ | ○ |
1. arn:aws:s3:::system1-if-files なし
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files/*", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*" ] } ] }
- ls がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
2. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし
- VPCエンドポイントポリシー(アクセスポイントなし)
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", "arn:aws:s3:::system1-if-files/*", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*" ] } ] }
- ls がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
3. arn:aws:s3:::system1-if-files/* なし
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*" ] } ] }
- Get/Put がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf 2021-09-04 14:04:56 100000000 100mb.dat
4. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし
- VPCエンドポイントポリシー(アクセスポイント/object/* なし)
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", "arn:aws:s3:::system1-if-files/*", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1" ] } ] } -Get/Put がエラー >|sh| [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf 2021-09-04 14:04:56 100000000 100mb.dat
全部入り
- VPCエンドポイントポリシー(全部入り)
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", "arn:aws:s3:::system1-if-files/*", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*" ] } ] }
- 全て成功
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf 2021-09-04 14:13:40 100000000 100mb.dat
全部入りのアクセスポイントで object/* なしバージョン
- VPCエンドポイントポリシー(アクセスポイントで object/* なし)
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::system1-if-files", "arn:aws:s3:::system1-if-files/*", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/*" ] } ] }
- 全て成功
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat [ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf 2021-09-04 14:14:34 100000000 100mb.dat
参考
The following example policy statement configures a VPC endpoint to allow calls to GetObject for a bucket named awsexamplebucket1 and an access point named example-vpc-ap.
{ "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::awsexamplebucket1/*", "arn:aws:s3:us-west-2:123456789012:accesspoint/example-vpc-ap/object/*" ] }] }Creating access points restricted to a virtual private cloud - Amazon Simple Storage Service
S3 アクセスポイントのポリシーで間違いやすいのは S3 アクセスポイントの ARN の後に "/object/" のつけ忘れ。