Amazon S3 files access policy based on IP Address

前端 未结 2 1315
面向向阳花
面向向阳花 2021-01-30 10:53

Is there any way to limit the access of a file stored in Amazon S3 based on the client IP address?

I have a file stored there, which should be access only by specific IP

相关标签:
2条回答
  • 2021-01-30 11:37

    Amazon describes this in their S3 docs under "Bucket Policy Examples", at Restricting Access to Specific IP Addresses:

    The condition in this statement identifies the 54.240.143.* range of allowed IP addresses, with one exception: 54.240.143.188.

    {
      "Version": "2012-10-17",
      "Id": "S3PolicyId1",
      "Statement": [
        {
          "Sid": "IPAllow",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:*",
          "Resource": "arn:aws:s3:::examplebucket/*",
          "Condition": {
             "IpAddress": {"aws:SourceIp": ["54.240.143.0/24", "1.2.3.4/32" ]},
             "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
          } 
        } 
      ]
    }
    

    You could add something like that in the AWS S3 console. Select your bucket, click the Properties tab, then Permissions. Click "Add bucket policy" and paste it into the popup dialogue's form.

    I modified Amazon's example to show how multiple IP ranges can be included in the policy by providing a JSON array instead of a string. The "aws:SourceIp" entry of "1.2.3.4/32" means that the single IP address, 1.2.3.4, is also granted access.

    0 讨论(0)
  • Yes there is, although I have not used this myself.

    S3 supports granular control over buckets and objects in them using "Access Policy Language". There is specific whitelist and blacklist IP statements available. You will have to write the APL statements and upload them, however.

    http://docs.amazonwebservices.com/AmazonS3/latest/dev/AccessPolicyLanguage.html

    Here are 2 condition section examples:

    Whitelist

    "Condition" :  {
           "IpAddress" : {
              "aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
          }
    }
    

    Blacklist

    "Condition" :  {
           "NotIpAddress" : {
              "aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
          }
    }
    
    0 讨论(0)
提交回复
热议问题