I want to allow public read access to my S3 bucket, except for 2 folders.
On 2 folders, I want to allow access only to visitors coming from specific networks.
Is there a way to define this?
There are several different ways to grant access to data stored in Amazon S3:
Your use-case would fit Bucket Policies .
You can grant access to an entire Amazon S3 bucket with a policy like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
You can grant access based upon a range of IP addresses like this:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
Your situation, where you wish to "allow public read access to my S3 bucket, except for 2 folders" is slightly more difficult because it is an "everything except" use-case.
Option 1: Specific folders
For example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":["arn:aws:s3:::examplebucket/folder1/*",
"arn:aws:s3:::examplebucket/folder2/*"]
},
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::examplebucket/folder3/*",
"arn:aws:s3:::examplebucket/folder4/*"],
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
]
}
However, that requires that you specifically list each folder.
Option 2: All except...
In this rule, you grant public access, but then Deny some folders if they are not from the right IP range:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":["arn:aws:s3:::examplebucket/*"]
},
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::examplebucket/folder3/*",
"arn:aws:s3:::examplebucket/folder4/*"],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
]
}
Note the use of Deny
with NotIpAddress
, which says that access is Denied if the request is not coming from the defined range of IP addresses.
However, DENY
overrides ALLOW
, so this also means that you will not be able to access the restricted buckets unless you come from that range of IP addresses -- even if your IAM User has been explicitly granted ALLOW
permissions to do so. For example, if you are an administrator with all permissions in S3, you would still be denied access to the restricted folders if you are coming from the given IP range. Thus, it might be too restrictive for you since it affects all usage, even when accessed via the console/API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.