AWS云安全初探实验-3

实验内容：手工创建第一个安全数据仓库账户

创建数据仓库账户

AWS Organizations->AWS账户->添加AWS账户->创建AWS账户

创建CloudTrail日志的存储桶

用组织的日志记录账户登录

S3->创建存储桶

创建后点击存储桶->权限

更改策略如下

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Principal": {
                "Service" :"cloudtrail.amazonaws.com"
            },
            "Effect": "Allow",
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::[bucket]"
        },
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Principal": {
                "Service" :"cloudtrail.amazonaws.com"
            },
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[bucket]/AWSLogs/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Principal": {
                "Service" :"cloudtrail.amazonaws.com"
            },
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::[bucket]/AWSLogs/[organization-id]/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

确保跨账户访问权限为只读

IAM->OrganizationAccountAccessRole角色->附加ReadOnlyAccess策略并移除AdministratorAccess策略

打开CloudTrail审计日志

管理账户登录->CloudTrail->跟踪->创建跟踪（为我组织启用）（s3存储桶选现有的）

posted @ 2022-02-21 22:23 Yu_so1dier0n 阅读(57) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Yu_so1dier0n

蹒跚学步

AWS云安全初探实验-3

公告