问题
say I have a condition like where I want that if the request is not from these ips ["192.0.2.0/24","203.0.113.0/24"] and if the request doesn't have a referrer among the following [example1.com, example2.com ] then deny it. I know individually I can do something like this:
{
"Sid": "6",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"IpAddress":{
"aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]
}
}
}
{
"Sid": "7",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::indeev5-dev-media/*/video/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://example1.com/*",
"http://example2.com/*",
]
}
}
}
but how can I do an "and" here.I.e check for both conditions at the same time. I had posted a question which kinda had the same end objective so any pointers would be highly appreciated here. In short what I want to do is deny all requests which are not from the referrer list except the ones which are from the ip list. Thanks
回答1:
It appears that your logic requirement is:
- Allow any request where IP is in
["192.0.2.0/24","203.0.113.0/24"] - Allow any request where referrer is in
["http://example1.com/*", "http://example2.com/*"]
So, you could configure it as an OR rather than an AND NOT, and by only using ALLOW rather than DENY. This has the benefit of allowing User policies to work (which may be overridden by use of DENY).
The policy would be in two parts:
- ALLOW
"Condition": {"IpAddress":{"aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]}} - ALLOW
"Condition": {"StringLike": {"aws:Referer": ["http://example1.com/*","http://example2.com/*",]}}
(I have not tested this.)
来源:https://stackoverflow.com/questions/33801483/joining-two-conditions-in-amazon-s3-bucket-policy