堆栈内存溢出
  简体   繁体   English

Amazon S3策略-IP地址或HTTP引用

[英]Amazon S3 Policy - IP Address OR HTTP Referer

 原文  2014-10-24 11:39:00       amazon-web-services/ amazon-s3

问题描述

I was wondering if it's possible to combine two statements in a bucket policy to achieve the following scenario: 我想知道是否可以在存储桶策略中组合两个语句来实现以下方案:

  • A specific IP address, abcd , is allowed to perform any action; 允许特定的IP地址abcd执行任何操作;
  • A CDN host, http://cdn.example.com , is allowed to perform just GetObject action to serve content. CDN主机http://cdn.example.com仅允许执行GetObject操作来提供内容。

I don't know exactly which IP addresses cdn.example.com will use, so I can't just rely on IP address policy. 我不知道cdn.example.com将使用哪个IP地址,因此我不能仅仅依靠IP地址策略。

Let's suppose the bucket is named public , I tried the following policy 假设存储桶名为public ,我尝试了以下策略 

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "Allow CDN referrer",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::public/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": "http://cdn.example.com/*"
        }
      }
    },
    {
      "Sid": "Deny everyone except for a.b.c.d",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::public/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "a.b.c.d"
        }
      }
    }
  ]
}

The two statements behave as expected singularly, but when combined the result is that only abcd is able to access the bucket publicly, probably because cdn.example.com IP address is blocked by the second statement. 这两个语句的行为均与预期的一样,但是结合在一起的结果是只有abcd能够公开访问该存储桶,这可能是因为cdn.example.com IP地址被第二个语句阻止了。

At this point, I wonder if what I want to achieve is possible, maybe using different statements, or not possible at all. 在这一点上,我想知道我想要实现的目标是否可能,或者使用不同的语句,或者根本不可能实现。

edit 编辑

abcd IP address does not belong to cdn.example.com, it's another organization's IP address. abcd IP地址不属于cdn.example.com,它是另一个组织的IP地址。

In the policy I want to enable a host evaluating HTTP referer OR IP address. 在策略中,我要启用主机,以评估HTTP引用 IP地址。

After rephrasing the statements I have the following 改写陈述后,我有以下内容 

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "Allow CDN referrer",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::public/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": "http://cdn.example.com/*"
        },
        "IpAddress": {
          "aws:SourceIp": "a.b.c.d"
        }
      }
    }
  ]
}

However, the problem is that the two contitions StringLike and IpAddress are evaluated in AND , while I need OR . 但是,问题是两个条件StringLikeIpAddressAND中求值,而我需要OR

Edit: 编辑:

However, the problem is that the two contitions StringLike and IpAddress are evaluated in AND , while I need OR . 但是,问题是两个条件StringLikeIpAddressAND中求值,而我需要OR

According to documentation, more Conditions are evaluated with logical AND, while more options inside a single condition are evaluated in OR, and I found no way to achieve what I want. 根据文档,更多的条件使用逻辑AND进行评估,而单个条件内的更多选项使用OR进行评估,我发现无法实现我想要的方法。

2 个解决方案

解决方案1
 1  2014-10-24 16:38:36

The key to remember is that the order of priority for effects is Deny first, Allow second (and default Deny last). 要记住的关键是效果的优先级顺序是“首先拒绝”,“第二次允许”(默认是“最后拒绝”)。 Any Deny effects will override Allow effects, and if you don't explicitly Allow access, it's denied by default. 任何“拒绝”效果都会覆盖“允许”效果,并且如果您未明确允许访问,则默认情况下会拒绝它。

What you probably want to do is rephrase your second condition into an Allow policy - rather than "Deny" everyone that's not from that IP, specifically "Allow" that IP. 您可能想做的是将第二个条件改写为“允许”策略-而不是“拒绝”不是来自该IP的所有人,特别是“允许”该IP。

It might also be possible to define what you want with compound conditions (see the documentation for more info), though in this specific case, I think redefining your second policy into Allow will work best. 尽管在这种特定情况下,我认为将第二个策略重新定义为“允许”将是最好的方法,但也可以使用复合条件来定义所需的内容(有关更多信息,请参见文档 )。

解决方案2
 1  2017-01-23 10:24:04

you can use 2 seperate allow condition to work as an OR condition 您可以使用2个单独的allow条件作为OR条件 

 {
      "Version": "2012-10-17",
      "Id": "S3PolicyId1",
      "Statement": [
        {
          "Sid": "Allow CDN referrer Http",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::public/*",
          "Condition": {
            "StringLike": {
              "aws:Referer": "http://cdn.example.com/*"
            }
          }
        },
        {
          "Sid": "Allow CDN referrer IP",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::public/*",
          "Condition": {
            "IpAddress": {
              "aws:SourceIp": "a.b.c.d"
            }
          }
        }
      ]
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Amazon S3 存储桶策略引用器 - Amazon S3 Bucket Policy Referer 如何为 IP 地址设置 Amazon S3 策略 - How to setup Amazon S3 policy for ip address Amazon S3文件基于IP地址访问策略 - Amazon S3 files access policy based on IP Address Amazon S3存储桶策略,用于特定文件夹上的引用条件 - Amazon S3 bucket policy for referer condition on specific folder 允许下载到特定 IP 地址的 S3 访问策略 - S3 access policy to allow download to a specific IP address AWS CDK 中 S3 存储桶策略中的白名单 IP 地址 - Whitelist IP Address in S3 Bucket Policy in AWS CDK Amazon S3存储桶策略允许访问仅特定的http - Amazon S3 bucket policy allow access to ONLY specific http Amazon S3 - 通过引用限制访问 - Amazon S3 - Restrict Access by referer Amazon s3受IP地址限制的预签名URL - Amazon s3 Pre-signed URL restricted by IP address 使用IP地址访问Amazon S3资源 - Accessing Amazon S3 resources using IP address
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM