前言
脚本的目的:
- 创建S3
- 添加生命周期
- 创建iam规则
s3官方授权示例:https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/example-policies-s3.html
主体脚本
#!/bin/bash
# http://docs.amazonaws.cn/general/latest/gr/rande.html#s3_region
# us-east-1 us-west-1 等
# 需要s3权限和iam权限
# 需要先编写 s3-lifecycle.json
#桶名
read -p "输入s3桶名=" S3BucketName
#所属项目
read -p "输入项目名=" TeamName
read -p "输入AWS_ACCESS_KEY_ID=" AWS_ACCESS_KEY_ID
read -p "输入AWS_SECRET_ACCESS_KEY=" AWS_SECRET_ACCESS_KEY
read -p "输入AWS_DEFAULT_REGION=" AWS_DEFAULT_REGION
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
export AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION
S3LocationConstraint=${AWS_DEFAULT_REGION}
[[ ${S3LocationConstraint} == 'us-east-1' ]] && aws s3api create-bucket --bucket ${S3BucketName} --region ${S3LocationConstraint} || aws s3api create-bucket --bucket ${S3BucketName} --region ${S3LocationConstraint} --create-bucket-configuration LocationConstraint=${S3LocationConstraint}
aws s3api put-object --bucket ${S3BucketName} --key 'conf/'
aws s3api put-object --bucket ${S3BucketName} --key 'data/'
aws s3api put-object --bucket ${S3BucketName} --key 'backup/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/7days/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/15days/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/30days/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/60days/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/90days/'
aws s3api put-object --bucket ${S3BucketName} --key 'logs/longlasting/'
aws s3api put-bucket-tagging --bucket ${S3BucketName} --tagging "TagSet=[{Key=Team,Value=${TeamName}}]"
aws s3api put-bucket-lifecycle-configuration --bucket ${S3BucketName} --lifecycle-configuration file://s3-lifecycle.json
cat > s3-program.rule << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::${S3BucketName}/logs/7days/*",
"arn:aws:s3:::${S3BucketName}/logs/15days/*",
"arn:aws:s3:::${S3BucketName}/logs/30days/*",
"arn:aws:s3:::${S3BucketName}/logs/60days/*",
"arn:aws:s3:::${S3BucketName}/logs/90days/*",
"arn:aws:s3:::${S3BucketName}/logs/longlasting/*",
"arn:aws:s3:::${S3BucketName}/conf/*",
"arn:aws:s3:::${S3BucketName}/data/*",
"arn:aws:s3:::${S3BucketName}/backup/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${S3BucketName}"
}
]
}
EOF
cat > s3-local.rule << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${S3BucketName}",
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"1.1.1.1/32"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${S3BucketName}/logs/7days/*",
"arn:aws:s3:::${S3BucketName}/logs/15days/*",
"arn:aws:s3:::${S3BucketName}/logs/30days/*",
"arn:aws:s3:::${S3BucketName}/logs/60days/*",
"arn:aws:s3:::${S3BucketName}/logs/90days/*",
"arn:aws:s3:::${S3BucketName}/logs/longlasting/*",
"arn:aws:s3:::${S3BucketName}/conf/*",
"arn:aws:s3:::${S3BucketName}/data/*",
"arn:aws:s3:::${S3BucketName}/backup/*"
],
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"1.1.1.1/32"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::${S3BucketName}",
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"1.1.1.1/32"
]
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {
"ForAnyValue:IpAddress": {
"aws:SourceIp": [
"1.1.1.1/32"
]
}
}
}
]
}
EOF
aws iam create-policy --policy-name s3-${S3BucketName}-role --description "For role use only!!!!!!!!!!!!" --policy-document file://s3-program.rule
aws iam create-policy --policy-name s3-${S3BucketName}-local --description "Limit the source IP!!!!!!!!!!!!" --policy-document file://s3-local.rule
echo "程序用户规则: s3-${S3BucketName}-role 已生成"
echo "本地用户规则:s3-${S3BucketName}-local 已生成"
echo "请将 local 规则关联到对应个人用户或组"
echo "请将 role 规则关联到角色"
生命周期规则 s3-lifecycle.json
规则说明:
- 所有对象,30天之后转为ONEZONE_IA;
- logs 前缀单独定义:
- days 路径下的对象保存对应的天数
- longlasting 路径下的对象永久保存,但是 90 天之后的对象转换为 GLACIER
{
"Rules": [
{
"Filter": {
"Prefix": ""
},
"Status": "Enabled",
"Transitions": [
{
"Days": 30,
"StorageClass": "ONEZONE_IA"
}
],
"NoncurrentVersionTransitions": [
{
"NoncurrentDays": 30,
"StorageClass": "ONEZONE_IA"
}
],
"ID": "30days_onezone_ia"
},
{
"Filter": {
"Prefix": "logs/longlasting/"
},
"Status": "Enabled",
"Transitions": [
{
"Days": 90,
"StorageClass": "GLACIER"
}
],
"ID": "logs_90day_glacier"
},
{
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Filter": {
"Prefix": "logs/7days/"
},
"Expiration": {
"Days": 7
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
},
"ID": "logs_delete_7days_before"
},
{
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Filter": {
"Prefix": "logs/15days/"
},
"Expiration": {
"Days": 15
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
},
"ID": "logs_delete_15days_before"
},
{
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Filter": {
"Prefix": "logs/30days/"
},
"Expiration": {
"Days": 30
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
},
"ID": "logs_delete_30days_before"
},
{
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Filter": {
"Prefix": "logs/60days/"
},
"Expiration": {
"Days": 60
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
},
"ID": "logs_delete_60days_before"
},
{
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 1
},
"Filter": {
"Prefix": "logs/90days/"
},
"Expiration": {
"Days": 90
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": 7
},
"ID": "logs_delete_90days_before"
}
]
}