Restrict s3 bucket access to specific regions
Question
I provide several IAM users access to a large volume of data on S3. These users may want to copy the data to their buckets, download the data offline, or access the data from Databricks, EMR, or Athena from their accounts.
I'm responsible for bandwidth costs for data transferred out of my bucket, so I'd like to restrict outgoing data transfer to the same region where the data is housed since intraregion bandwidth is free.
In other words, since the data is housed in us-east-1 I want to restrict data to only be available for transfer to other buckets, EC2 instances, EMR, or Athena instances in the us-east-1 region.
Is there a way to implement that limitation?
We currently use requester-pays to manage this but it introduces unwanted complexity and limits direct use of the managed services I mentioned above.
1 answers
solution1
3 2017-06-19 21:45:26
You might want to investigate an S3 bucket policy that places conditions on the requester's source IP, and use the advertised AWS IP ranges for us-east-1.
Also, CloudFront has a geo-blocking feature but it would only allow you to block/allow by country. Plus, as Michael - sqlbot indicates, it would not be free of charge.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.