1. 技术文章
  2. Amazon S3: Grant anonymous access from IP (via bucket policy)

Amazon S3: Grant anonymous access from IP (via bucket policy)

谁说我不能喝 提交于 2021-02-09 08:35:58

问题


I have a Amazon S3 bucket and would like to make it available to scripts on a certain machine, whithout the need to deploy login credentials. So my plan was to allow anonymous access only from the IP of that machine. I'm quite new to the Amazon cloud and bucket policies look like the way to go. I added the following policy to my bucket:

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::name_of_my_bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "my_ip_1/24",
                        "my_ip_2/24"
                    ]
                }
            }
        }
    ]
}

But anonymous access still does not work. For testing, I granted access to "Everyone" in the S3 management console. That works fine, but is obviously not what I want to do. ;-) Any hint what I'm doing wrong and how to get this working?

My use case is some data processing using EC2 and S3, so access control by IP would be much simpler than fiddling around with user accounts. If there's a simpler solution, I'm open for suggestions.


回答1:


But anonymous access still does not work.

What operation still does not work exactly, do you by chance just try to list the objects in the bucket?

Quite often a use case implicitly involves Amazon S3 API calls also addressing different resource types besides the Resource explicitly targeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).

In particular, the Resource specification of your policy currently addresses the objects within the bucket only (arn:aws:s3:::name_of_my_bucket/*), which implies that you cannot list objects in the bucket (you should be able to put/get/delete objects though in case) - in order to also allow listing of the objects in the bucket via ListBucket you would need to amend your policy as follows accordingly:

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            // ... your existing statement for objects here ...
        },
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::name_of_my_bucket",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "my_ip_1/24",
                        "my_ip_2/24"
                    ]
                }
            }
        }
    ]
}


来源:https://stackoverflow.com/questions/16141362/amazon-s3-grant-anonymous-access-from-ip-via-bucket-policy

标签
amazon-s3
amazon-ec2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!