堆栈内存溢出
  简体   繁体   English

如何通过网络限制S3存储桶访问

[英]How to restrict S3 bucket access by network

 原文  2017-07-18 19:58:03       amazon-web-services/ amazon-s3

问题描述

I want to allow public read access to my S3 bucket, except for 2 folders. 我想允许对我的S3存储桶进行公共读取访问,但2个文件夹除外。

On 2 folders, I want to allow access only to visitors coming from specific networks. 在2个文件夹中,我只想允许来自特定网络的访问者访问。

Is there a way to define this? 有没有办法定义这个?

1 个解决方案

解决方案1
 3 已采纳  2017-07-18 23:19:54

There are several different ways to grant access to data stored in Amazon S3: 有几种方法可以授予对存储在Amazon S3中的数据的访问权限:

  • Permissions on the individual objects themselves (discouraged) 对单个对象本身的权限(已终止)
  • Bucket Policies that grant access to whole buckets or directories 授予对整个存储桶或目录的访问权限的存储桶策略
  • IAM User Policies that grant permissions to specific IAM Users/Groups 授予特定IAM用户/组权限的IAM用户策略
  • Pre-Signed URLs that grant temporary, time-limited access to objects (good for programmatically granting access via an application) 预先签名的URL允许对对象进行临时的,有时间限制的访问(适用于以编程方式通过应用程序授予访问权限)

Your use-case would fit Bucket Policies . 您的用例将符合“ 存储桶策略”

You can grant access to an entire Amazon S3 bucket with a policy like this: 您可以使用以下策略授予对整个Amazon S3存储桶的访问权限 

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

You can grant access based upon a range of IP addresses like this: 您可以根据以下IP地址范围授予访问权限 

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}

Your situation, where you wish to "allow public read access to my S3 bucket, except for 2 folders" is slightly more difficult because it is an "everything except" use-case. 您希望“允许对我的S3存储桶进行公共读取访问,但2个文件夹除外”的情况要困难一些,因为这是一个“除”之外的所有用例。

Option 1: Specific folders 选项1:特定的文件夹

  • Grant public access to specific folders, AND 授予对特定文件夹的公共访问权限,并且
  • Grant restricted access to specific folders 授予对特定文件夹的受限访问权限

For example: 例如: 

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource":["arn:aws:s3:::examplebucket/folder1/*",
                  "arn:aws:s3:::examplebucket/folder2/*"]
    },
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::examplebucket/folder3/*",
                   "arn:aws:s3:::examplebucket/folder4/*"],
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"} 
      } 
  ]
}

However, that requires that you specifically list each folder. 但是,这要求您专门列出每个文件夹。

Option 2: All except... 选项2:除...以外的所有内容

In this rule, you grant public access, but then Deny some folders if they are not from the right IP range: 在此规则中,您授予公共访问权限,但是如果某些文件夹不在正确的IP范围内,则拒绝它们: 

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource":["arn:aws:s3:::examplebucket/*"]
    },
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": ["arn:aws:s3:::examplebucket/folder3/*",
                   "arn:aws:s3:::examplebucket/folder4/*"],
      "Condition": {
         "NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"} 
      } 
  ]
}

Note the use of Deny with NotIpAddress , which says that access is Denied if the request is not coming from the defined range of IP addresses. 注意使用的DenyNotIpAddress ,它说,访问被拒绝,如果请求不是从定义的IP地址范围的到来。

However, DENY overrides ALLOW , so this also means that you will not be able to access the restricted buckets unless you come from that range of IP addresses -- even if your IAM User has been explicitly granted ALLOW permissions to do so. 但是, DENY会覆盖ALLOW ,因此这也意味着,除非您来自该IP地址范围,否则您将无法访问受限存储区-即使您的IAM用户已被明确授予ALLOW权限也是如此。 For example, if you are an administrator with all permissions in S3, you would still be denied access to the restricted folders if you are coming from the given IP range. 例如,如果您是具有S3中所有权限的管理员,但如果您来自给定IP范围,则仍将拒绝访问受限制的文件夹。 Thus, it might be too restrictive for you since it affects all usage, even when accessed via the console/API. 因此,它可能对您来说过于严格,因为它会影响所有使用情况,即使通过控制台/ API访问也是如此。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 AWS SAM 模板中限制对 S3 存储桶的公共访问 - How restrict public access to S3 Bucket in AWS SAM Template 如何将 AWS S3 存储桶的访问权限限制为特定角色? - How to restrict access to an AWS S3 bucket only to a specific role? 如何限制对 AWS s3 存储桶的所有访问 - How to restrict all access to the AWS s3 bucket 限制管理员用户访问S3存储桶 - Restrict access to a S3 bucket to admin users 限制对AWS上S3存储桶的访问 - Restrict Access to S3 bucket on AWS AWS S3和CloudFront限制存储桶访问 - AWS S3 and CloudFront Restrict Bucket Access 限制s3存储桶对特定区域的访问 - Restrict s3 bucket access to specific regions 使用 Cloudfront 限制对 S3 存储桶的访问 - Using Cloudfront to restrict access to S3 bucket 限制对我的 S3 存储桶的读写访问 - Restrict read-write access from my S3 bucket 将我的 Amazon S3 存储桶访问权限限制在特定国家/地区 - Restrict my Amazon S3 bucket access to specific Country
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM