How to restrict S3 bucket access by network
Question
I want to allow public read access to my S3 bucket, except for 2 folders.
On 2 folders, I want to allow access only to visitors coming from specific networks.
Is there a way to define this?
1 answers
solution1
3 ACCPTED 2017-07-18 23:19:54
There are several different ways to grant access to data stored in Amazon S3:
- Permissions on the individual objects themselves (discouraged)
- Bucket Policies that grant access to whole buckets or directories
- IAM User Policies that grant permissions to specific IAM Users/Groups
- Pre-Signed URLs that grant temporary, time-limited access to objects (good for programmatically granting access via an application)
Your use-case would fit Bucket Policies .
You can grant access to an entire Amazon S3 bucket with a policy like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
You can grant access based upon a range of IP addresses like this:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
Your situation, where you wish to "allow public read access to my S3 bucket, except for 2 folders" is slightly more difficult because it is an "everything except" use-case.
Option 1: Specific folders
- Grant public access to specific folders, AND
- Grant restricted access to specific folders
For example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":["arn:aws:s3:::examplebucket/folder1/*",
"arn:aws:s3:::examplebucket/folder2/*"]
},
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::examplebucket/folder3/*",
"arn:aws:s3:::examplebucket/folder4/*"],
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
]
}
However, that requires that you specifically list each folder.
Option 2: All except...
In this rule, you grant public access, but then Deny some folders if they are not from the right IP range:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":["arn:aws:s3:::examplebucket/*"]
},
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::examplebucket/folder3/*",
"arn:aws:s3:::examplebucket/folder4/*"],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
]
}
Note the use of Deny with NotIpAddress , which says that access is Denied if the request is not coming from the defined range of IP addresses.
However, DENY overrides ALLOW , so this also means that you will not be able to access the restricted buckets unless you come from that range of IP addresses -- even if your IAM User has been explicitly granted ALLOW permissions to do so. For example, if you are an administrator with all permissions in S3, you would still be denied access to the restricted folders if you are coming from the given IP range. Thus, it might be too restrictive for you since it affects all usage, even when accessed via the console/API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.