AWS访问受公共IP或VPC限制
[英]AWS access restricted by public IP or VPC
问题描述
I'm trying to use an IAM policy to restrict access for all AWS resources to either a public IP or a VPC. 
我正在尝试使用IAM策略将所有AWS资源的访问权限限制为公共IP或VPC。 Documentation suggests this should work and it seems to work fine for the IP case. 文档表明这应该工作,它似乎适用于IP案例。 But as soon as I add the condition for the VPC, it breaks. 但是只要我为VPC添加条件,它就会中断。
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddressIfExists": {
"aws:SourceIp": "a.b.c.d/32"
},
"StringNotEqualsIfExists": {
"aws:sourceVpc": "vpc-1234wxyz"
}
}
}
}
1 个解决方案
解决方案1
0 2017-10-06 15:42:40
In a "Deny" Statement, if any of the Conditions are satisfied the request will be denied. 在“拒绝”声明中,如果满足任何条件,则该请求将被拒绝。
For requests coming from outside of your VPC, "aws:SourceIp" exists and "aws:sourceVpc" does not exist, so it only evaluates your "aws:SourceIp" condition. 对于来自VPC外部的请求,“aws:SourceIp”存在且“aws:sourceVpc”不存在,因此它仅评估您的“aws:SourceIp”条件。
For requests coming from inside of your VPC, "aws:SourceIp" exists and "aws:sourceVpc" exists, so it evaluates both. 对于来自VPC内部的请求,存在“aws:SourceIp”并且存在“aws:sourceVpc”,因此它会对两者进行评估。 Since you are inside your VPC that condition allows access, but since your source IP is the IP of your AWS instance that condition denies access. 由于您在VPC内部,条件允许访问,但由于您的源IP是您的AWS实例的IP,该条件拒绝访问。
Basically, the problem is you are relying on "IfExists" with the assumption that only one or the other will exist, but inside your VPC both exist. 基本上,问题是你依赖于“IfExists”,假设只有一个或另一个存在,但你的VPC内部都存在。 There is a special case for this, only if the request comes via an Endpoint (such as to S3): 有一种特殊的情况下这一点,只有当请求到达经由端点 (如S3):
Note
If the request comes from a host that uses an Amazon VPC endpoint, then the aws:SourceIp key is not available.
Only in that special case, Amazon removes "aws:SourceIp" which would make your "IsExists" work. 只有在这种特殊情况下,亚马逊才会删除“aws:SourceIp”,这将使你的“IsExists”工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.