允许 lambda function 访问 S3 存储桶但阻止外部 IP
[英]Allow lambda function to access S3 bucket but block external IPs
问题描述
I am trying to write in a S3 bucket with the help of a lambda function but would like to have the S3 bucket accessible only to IPs inside office network.
我试图在 lambda function 的帮助下写入 S3 存储桶,但希望 S3 存储桶只能访问办公室网络内的 IP。
I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine. I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.
How can i change this bucket policy so that it allows lambda to write but does not allow external IPS to access the S3 bucket?如何更改此存储桶策略,使其允许 lambda 写入但不允许外部 IPS 访问 S3 存储桶?
Thanks!谢谢!
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket.net/*",
"Condition": {
"StringEquals": {
"aws:Referer": "230513111850"
}
}
},
{
"Sid": "AllowECSPuts",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::mybucket.net/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::abc.net/*",
"arn:aws:s3:::abc.net"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAJIS5E4JXTWB4RTX3I:*",
"230513111751"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"81.111.111.111/24" --dummy IP
]
}
}
}
]
}
2 个解决方案
解决方案1
1 已采纳 2020-05-11 05:08:13
As a general rule, it makes life easier if you can avoid Deny statements in policies.作为一般规则,如果您可以避免策略中的Deny语句,它会使生活更轻松。
Therefore, you could configure:因此,您可以配置:
- An Amazon S3 bucket with a Bucket Policy that permits access from the desired CIDR range具有允许从所需 CIDR 范围访问的存储桶策略的 Amazon S3 存储桶
- An IAM Role for the Lambda function that permits access to the Amazon S3 bucket Lambda function 的 IAM 角色,允许访问 Amazon S3 存储桶
There should be no need for a Deny statement in the bucket policy since access is denied by default.由于默认情况下拒绝访问,因此存储桶策略中应该不需要Deny语句。
解决方案2
0 2020-05-11 03:00:30
One typical approach is to place the lambda function inside a private VPC subnet.一种典型的方法是将 lambda function 放置在私有 VPC 子网中。 Then attach an S3 gateway VPC endpoint to it and set the corresponding S3 bucket policy to only allow certain actions performed from the VPC endpoint.然后将 S3 网关 VPC 终端节点附加到它,并将相应的 S3 存储桶策略设置为仅允许从 VPC 终端节点执行的某些操作。 [ ref ] [ 参考]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.