admin管理员组

文章数量:1396098

I have an EFS resource that I'm making available to EC2 instances as read-only by using the default EFS 'read-only' policy, as below,

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-bafc47e7-8fbd-4d77-8915-c9bbe646f704",
    "Statement": [
        {
            "Sid": "efs-statement-67d772b9-e439-4280-a895-64135dfd4322",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientMount"
            ],
            "Resource": "arn:aws:elasticfilesystem:<value>:file-system/fs-<value>",
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

I would like to allow VPN client users to mount the EFS and have write access as well, but I can't figure out a method for adding a statement to this policy that enables this.

As a starting point, adding the following of course works, but it allows write access for everything which is of course not what I'm after,

        {
            "Sid": "Allow write access for VPN users",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "elasticfilesystem:ClientWrite",
            "Resource": "arn:aws:elasticfilesystem:<value>:file-system/fs-<value>",
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }

I've tried a couple methods to restrict this write statement to just VPN users,

  1. Modify the AWS Principal with various ARNs related to my VPN endpoint.
  2. Add an 'IpAddress' condition with the key 'aws:VpcSourceIp' that is my VPN client CIDR block as well as just the IP of my client.

Neither approach works; I can only mount the NFS system with read-only access when using either approach.

Is there a way to modify the write statement above that limits it to VPN client users? Or is there another approach I should use instead of amending the default read-only policy?

Much thanks.

本文标签: amazon web servicesHow to create specific EFS policy for VPN client usersStack Overflow

版权声明:本文标题:amazon web services - How to create specific EFS policy for VPN client users? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744126170a2591962.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。