Amazon s3 Pre-signed URL restricted by IP address
The client app requests a presigned URL for S3. Currently we limit the time the URL is valid but would like to also restrict it to the client\'s IP address.
Is it p
-
Yes!
First, it is worth explaining the concept of a Pre-Signed URL.
Objects in Amazon S3 are private by default. Therefore, if somebody tries to access it without providing credentials, access will be denied.
For example, this would not work for a private object:
https://my-bucket.s3.amazonaws.com/foo.jsonTo grant temporary access to the object, a Pre-signed URL can be generated. It looks similar to:
https://my-bucket.s3.amazonaws.com/x.json?AWSAccessKeyId=AKIAIVJQM12345CY3A3Q&Expires=1531965074&Signature=g7Jz%2B%2FYyqc%2FDeL1rzo7WM61RusM%3DThe URL says "I am *this* particular Access Key and I authorize temporary access until *this* time and here is my calculated signature to prove it is me".
When the Pre-Signed URL is used, it temporarily uses the permissions of the signing entity to gain access to the object. This means that I can generate a valid pre-signed URL for an object that I am permitted to access, but the pre-signed URL will not work if I am not normally permitted to access the object.
Therefore, to "create a S3 presigned URL that is restricted to a specific IP address", you should:
- Create an IAM entity (eg IAM User) that has access to the object (or the whole bucket) with a IP address restriction, and
- Use that entity to generate the pre-signed URL
Here is a sample policy for the IAM User:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "54.22.33.44/32" } } } ] }The result will be a pre-signed URL that works successfully to access the object, but is then rejected by S3 because the IP address restriction is not met. The user will receive an Access Denied message.
讨论(0)
加载中...
- 热议问题