为什么我的 AWS S3 策略不会仅限制某些 IP 地址的访问?
[英]Why my AWS S3 policy will not restrict access for only certain IP addresses?
问题描述
I am working on creating an S3 policy in AWS.
我正在努力在 AWS 中创建 S3 策略。 The S3 stores a mp4 video. S3 存储一个 mp4 视频。 I have started the Access based on username or password but when I try to Restricted IPs access (only want to have this video to be accessed from certain IP address only my home and office IP address).我已经根据用户名或密码启动了访问,但是当我尝试限制 IP 访问时(只想让这个视频从某个 IP 地址访问,只有我的家庭和办公室 IP 地址)。
I used myipaddress.com and looked up the "IPconfig" feature in cmd to come up with subnet mask code ( /19, but some use /32, /24 etc)but when I use another IP address it allows the video to be used.我使用了 myipaddress.com 并在 cmd 中查找了“IPconfig”功能以得出子网掩码代码(/19,但有些使用 /32、/24 等),但是当我使用另一个 ZA12A3079E14CED46E69BA2 时,它允许使用另一个 ZA12A3079E14CED46E69BA2 . In other words, anyone an view this video and I am unable to restrict access.换句话说,任何观看此视频的人都无法限制访问。 Below is the policy code.以下是政策代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:GetStorageLensConfigurationTagging",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:DeleteJobTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:PutAccessPointPolicy",
"s3:GetStorageLensDashboard",
"s3:CreateAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:DeleteBucketOwnershipControls",
"s3:GetAccessPointPolicyStatus",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:PutMetricsConfiguration",
"s3:PutStorageLensConfigurationTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectVersionTagging",
"s3:PutJobTagging",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:BypassGovernanceRetention",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetStorageLensConfiguration",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
}
]
}
1 个解决方案
解决方案1
1 已采纳 2020-12-05 23:22:21
anyone an view this video and I am unable to restrict access.
This is not how it works.这不是它的工作方式。 Your policy is IAM policy , not bucket policy.您的策略是 IAM 策略,而不是存储桶策略。 This means that only IAM users and roles with explicit allow that you enabled can access the videos.这意味着只有您启用了明确允许的 IAM 用户和角色才能访问视频。 Your policy does not allow anonymous access.您的政策不允许匿名访问。
Also your denies will apply only to requests coming from 96.70.32.38/19 address.此外,您的拒绝将仅适用于来自96.70.32.38/19地址的请求。 If you are going to use different IP, the polices do not apply.如果您要使用不同的 IP,则该策略不适用。 For deny to apply to all other IP addresses, except your own, you need NotIpAddress , rather then IpAddress in the Condition as explained in AWS docs .要拒绝适用于所有其他 IP 地址,除了您自己的地址,您需要NotIpAddress ,而不是IpAddress在Condition中,如AWS docs中所述。 In addition, your first statement will apply to bucket only , not its objects.此外,您的第一条语句将仅适用于bucket ,而不适用于它的对象。 For both objects and buckets you need:对于您需要的对象和存储桶:
"Resource": [
"arn:aws:s3:::internshipbucket12",
"arn:aws:s3:::internshipbucket12/*",
]
Also, buckets and objects by default are private .此外,默认情况下存储桶和对象是私有的。 So you don't need to use your IAM policies with explicit denies.因此,您无需使用带有明确拒绝的 IAM 策略。 By default no one can access the bucket and its contents, unless you as an admin, allow this in the policies.默认情况下,没有人可以访问存储桶及其内容,除非您作为管理员在策略中允许这样做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.