[英]Allow lambda function to access S3 bucket but block external IPs
I am trying to write in a S3 bucket with the help of a lambda function but would like to have the S3 bucket accessible only to IPs inside office network.我试图在 lambda function 的帮助下写入 S3 存储桶,但希望 S3 存储桶只能访问办公室网络内的 IP。
I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine. I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.
How can i change this bucket policy so that it allows lambda to write but does not allow external IPS to access the S3 bucket?如何更改此存储桶策略,使其允许 lambda 写入但不允许外部 IPS 访问 S3 存储桶?
Thanks!谢谢!
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket.net/*",
"Condition": {
"StringEquals": {
"aws:Referer": "230513111850"
}
}
},
{
"Sid": "AllowECSPuts",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::mybucket.net/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::abc.net/*",
"arn:aws:s3:::abc.net"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAJIS5E4JXTWB4RTX3I:*",
"230513111751"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"81.111.111.111/24" --dummy IP
]
}
}
}
]
}
As a general rule, it makes life easier if you can avoid Deny
statements in policies.作为一般规则,如果您可以避免策略中的Deny
语句,它会使生活更轻松。
Therefore, you could configure:因此,您可以配置:
There should be no need for a Deny
statement in the bucket policy since access is denied by default.由于默认情况下拒绝访问,因此存储桶策略中应该不需要Deny
语句。
One typical approach is to place the lambda function inside a private VPC subnet.一种典型的方法是将 lambda function 放置在私有 VPC 子网中。 Then attach an S3 gateway VPC endpoint to it and set the corresponding S3 bucket policy to only allow certain actions performed from the VPC endpoint.然后将 S3 网关 VPC 终端节点附加到它,并将相应的 S3 存储桶策略设置为仅允许从 VPC 终端节点执行的某些操作。 [ ref ] [ 参考]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.