AWS云安全初探实验-3
实验内容:手工创建第一个安全数据仓库账户
创建数据仓库账户
AWS Organizations->AWS账户->添加AWS账户->创建AWS账户
创建CloudTrail日志的存储桶
用组织的日志记录账户登录
S3->创建存储桶
创建后点击存储桶->权限
更改策略如下
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Principal": { "Service" :"cloudtrail.amazonaws.com" }, "Effect": "Allow", "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::[bucket]" }, { "Sid": "AWSCloudTrailAclCheck20150319", "Principal": { "Service" :"cloudtrail.amazonaws.com" }, "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::[bucket]/AWSLogs/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Sid": "AWSCloudTrailAclCheck20150319", "Principal": { "Service" :"cloudtrail.amazonaws.com" }, "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::[bucket]/AWSLogs/[organization-id]/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
确保跨账户访问权限为只读
IAM->OrganizationAccountAccessRole角色->附加ReadOnlyAccess策略并移除AdministratorAccess策略
打开CloudTrail审计日志
管理账户登录->CloudTrail->跟踪->创建跟踪(为我组织启用)(s3存储桶选现有的)