本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 示例: WorkSpaces 应用程序应用程序 Amazon S3 存储桶策略跨服务混淆了副手预防 当您将数据存储在 Amazon S3 存储桶时,该存储桶可能会出现混淆代理问题。这可能会使弹性实例集、应用程序块、设置脚本、应用程序图标和会话脚本等数据容易受到恶意行为者的攻击。 为防止出现混淆代理问题,您可以在 Amazon S3 存储桶策略中为 `ELASTIC-FLEET-EXAMPLE-BUCKET` 指定 `aws:SourceAccount` 条件或 `aws:SourceArn` 条件。 下面的资源策略说明了如何通过以下任一方法防止出现混淆代理问题: + `aws:SourceAccount`带有您的 AWS 账户 ID 的 + 全局条件上下文键 `aws:SourceArn` WorkSpaces 应用程序目前不支持对应用程序图标进行混淆副手防护。该服务仅支持 VHD 文件和设置脚本。如果您尝试为应用程序图标添加其他条件,则这些图标将不会显示给最终用户。 在以下示例中,存储桶策略仅允许所有者账户中的 A WorkSpaces pplications Elastic 队列资源进行访问`ELASTIC_FLEET_EXAMPLE_BUCKET`。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/vhd-folder/*", "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/scripts/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "{{your AWS 账户 ID}}" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/app-icons/*" } ] } ``` ------ 您也可以使用 `aws:SourceArn` 条件来限制特定资源的资源访问权限。 **注意** 如果您不知道资源的完整 ARN,或者您要指定多个资源,请针对 ARN 未知部分使用带有通配符(\*)的 `aws:SourceArn` 全局条件上下文键。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/vhd-folder/*", "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:appstream:{{us-east-1}}:{{111122223333}}:app-block/*" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/app-icons/*" } ] } ``` ------ 您可以使用 `aws:SourceArn` 和 `aws:SourceAccount` 条件来限制特定资源和账户的资源访问权限。 **注意** 如果您不知道资源的完整 ARN,或者您要指定多个资源,请针对 ARN 未知部分使用带有通配符(\*)的 `aws:SourceArn` 全局条件上下文键。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/vhd-folder/*", "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:appstream:{{us-east-1}}:{{111122223333}}:app-block/*" }, "StringEquals": { "aws:SourceAccount": "{{your AWS account ID}}" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::{{ELASTIC-FLEET-EXAMPLE-BUCKET}}/app-icons/*" } ] } ``` ------