I am trying to restrict access to my AWS S3 Bucket, so that only a few domains, 1 IP-address and AWS Lambda functions will have access to it.
This is what I have written, but it is not working :-(
{
"Version": "2012-10-17",
"Id": "httpRefererPolicy",
"Statement": [
{
"Sid": "AllowRequestsReferred",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject","s3:GetObjectAcl"],
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.example.com/*",
"https://example.com/*",
"https://example.herokuapp.com/*",
"https://dfgdsfgdfg.cloudfront.net/*"
]
},
"IpAddress": {
"aws:SourceIp": "219.77.225.296"
}
}
},
{
"Sid": "DenyRequestsReferred",
"Effect": "Deny",
"NotPrincipal": {
"Service": "lambda.amazonaws.com"
},
"Action": ["s3:GetObject","s3:GetObjectAcl"],
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://www.example.com/*",
"https://example.com/*",
"https://example.herokuapp.com/*",
"https://dfgdsfgdfg.cloudfront.net/*"
]
},
"NotIpAddress": {
"aws:SourceIp": "219.77.225.296"
}
}
}
]
}
What have I written wrong?
Your policy says:
ALLOW GetObject
access from an (invalid) IP address if the request was referred from certain websites.
DENY GetObject
access if the request is not from Lambda and is not an (invalid) IP address and was not referred from certain websites.
So, the first thing is that IpAddress
needs to be in CIDR notation, so you should use:
"aws:SourceIp": "219.77.225.296/32"
Second, there is nothing in this policy that is granting access to the Lambda function (since it is not on the IP address in the ALLOW statement). Also, your method of granting access looks unlikely to work. I would recommend granting access to the IAM Role being used by the Lambda function .
I would suggest you only create ALLOW
statements, and give access to each source independently. If you want to grant access based on referer
OR IpAddress
OR Lambda, you'd need:
referer
IpAddress
Lambda
(You'll need to do this by permitting access from the IAM Role used by the Lambda function) Only use DENY if you need to override a permission that was previously granted via ALLOW. It is best to avoid DENY if possible, to keep things easier to understand.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.