用于限制对 Cloudflare IP 地址访问的 S3 存储桶策略
[英]S3 Bucket Policy for Limiting Access to Cloudflare IP Addresses
问题描述
I will be using Cloudflare as a proxy for my S3 website bucket to make sure users can't directly access the website with the bucket URL.
我将使用 Cloudflare 作为 S3 网站存储桶的代理,以确保用户无法使用存储桶 URL 直接访问网站。
I have an S3 bucket set up for static website hosting with my custom domain:
www.mydomain.comand have uploaded myindex.htmlfile.我用我的自定义域为 static 网站托管设置了一个 S3 存储桶: www.mydomain.com并上传了我的index.html文件。I have a
CNAMErecord withwww.mydomain.com->www.mydomain.com.s3-website-us-west-1.amazonaws.comand CloudflareProxyenabled.我有一条CNAME记录,其中www.mydomain.com->www.mydomain.com.s3-website-us-west-1.amazonaws.comProxy
Issue: I am trying to apply a bucket policy to Deny access to my website bucket unless the request originates from a range of Cloudflare IP addresses .问题:我正在尝试将存储桶策略应用于Deny访问我的网站存储桶,除非该请求源自一系列Cloudflare IP 地址。 I am following the official AWS docs to do this, but every time I try to access my website, I get a Forbidden 403 AccessDenied error.我正在按照官方 AWS 文档执行此操作,但每次尝试访问我的网站时,都会收到Forbidden 403 AccessDenied错误。
This is my bucket policy:这是我的存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudflareGetObject",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:user/Administrator",
"arn:aws:iam::ACCOUNT_ID:root"
]
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::www.mydomain.com/*",
"arn:aws:s3:::www.mydomain.com"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"2c0f:f248::/32",
"2a06:98c0::/29",
"2803:f800::/32",
"2606:4700::/32",
"2405:b500::/32",
"2405:8100::/32",
"2400:cb00::/32",
"198.41.128.0/17",
"197.234.240.0/22",
"190.93.240.0/20",
"188.114.96.0/20",
"173.245.48.0/20",
"172.64.0.0/13",
"162.158.0.0/15",
"141.101.64.0/18",
"131.0.72.0/22",
"108.162.192.0/18",
"104.16.0.0/12",
"103.31.4.0/22",
"103.22.200.0/22",
"103.21.244.0/22"
]
}
}
}
]
}
1 个解决方案
解决方案1
1 2021-02-13 19:26:56
By default, AWS Deny all the request.默认情况下,AWS 拒绝所有请求。 Source 资源
Your policy itself does not grant access to the Administrator [or any other user], it only omits him from the list of principals that are explicitly denied.您的策略本身不会授予管理员 [或任何其他用户] 的访问权限,它只会将他从被明确拒绝的委托人列表中省略。 To allow him access to the resource, another policy statement must explicitly allow access using "Effect": "Allow".为了允许他访问资源,另一个策略声明必须使用“Effect”显式允许访问:“Allow”。 Source 资源
Now, we have to create Two Policy Statment's:- First with Allow and Second with Deny.现在,我们必须创建两个策略声明:- 第一个是允许,第二个是拒绝。 Then, It is better to have only One Policy With "allow" only to Specific IP.然后,最好只对特定 IP 设置一个“允许”策略。
It is better not to complicate simple things like using Deny with Not Principal and NotIPAddress.最好不要将简单的事情复杂化,例如将 Deny 与 Not Principal 和 NotIPAddress 一起使用。 Even AWS says:甚至 AWS 都说:
Very few scenarios require the use of NotPrincipal, and we recommend that you explore other authorization options before you decide to use NotPrincipal.
Now, the questions come on how to whitelist Cloudflare IP's???现在,问题出现在如何将 Cloudflare IP 列入白名单??? . .
Let's go with a simple approach.让我们用一个简单的方法 go。 Below is the Policy.以下是政策。 Replace your bucket name and your Cloudflare Ip's.替换您的存储桶名称和 Cloudflare Ip。 I have tested it and it is running.我已经测试过它并且它正在运行。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFlareIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:getObject",
"Resource": [
"arn:aws:s3:::my-poc-bucket",
"arn:aws:s3:::my-poc-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"IP1/32",
"IP2/32"
]
}
}
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.