1. 技术文章
  2. Amazon s3 Pre-signed URL restricted by IP address

Amazon s3 Pre-signed URL restricted by IP address

六月ゝ 毕业季﹏ 提交于 2019-12-06 06:38:11

问题


The client app requests a presigned URL for S3. Currently we limit the time the URL is valid but would like to also restrict it to the client's IP address.

Is it possible to create a S3 presigned URL that is restricted to a specific IP address?

From what I can tell only CloudFront will let me do this.


回答1:


Yes!

First, it is worth explaining the concept of a Pre-Signed URL.

Objects in Amazon S3 are private by default. Therefore, if somebody tries to access it without providing credentials, access will be denied.

For example, this would not work for a private object:

https://my-bucket.s3.amazonaws.com/foo.json

To grant temporary access to the object, a Pre-signed URL can be generated. It looks similar to:

https://my-bucket.s3.amazonaws.com/x.json?AWSAccessKeyId=AKIAIVJQM12345CY3A3Q&Expires=1531965074&Signature=g7Jz%2B%2FYyqc%2FDeL1rzo7WM61RusM%3D

The URL says "I am *this* particular Access Key and I authorize temporary access until *this* time and here is my calculated signature to prove it is me".

When the Pre-Signed URL is used, it temporarily uses the permissions of the signing entity to gain access to the object. This means that I can generate a valid pre-signed URL for an object that I am permitted to access, but the pre-signed URL will not work if I am not normally permitted to access the object.

Therefore, to "create a S3 presigned URL that is restricted to a specific IP address", you should:

  • Create an IAM entity (eg IAM User) that has access to the object (or the whole bucket) with a IP address restriction, and
  • Use that entity to generate the pre-signed URL

Here is a sample policy for the IAM User:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "54.22.33.44/32"
                }
            }
        }
    ]
}

The result will be a pre-signed URL that works successfully to access the object, but is then rejected by S3 because the IP address restriction is not met. The user will receive an Access Denied message.



来源:https://stackoverflow.com/questions/51407211/amazon-s3-pre-signed-url-restricted-by-ip-address

标签
amazon-web-services
amazon-s3
ip-address
pre-signed-url
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!