stackoom
  简体   繁体   中英

SOS AWS S3 Bucket Policy

 原文  2018-08-02 14:23:33       amazon-web-services/ amazon-s3/ bucket

Question

I am trying to restrict access to my AWS S3 Bucket, so that only a few domains, 1 IP-address and AWS Lambda functions will have access to it.

This is what I have written, but it is not working :-( 

{
    "Version": "2012-10-17",
    "Id": "httpRefererPolicy",
    "Statement": [
        {
            "Sid": "AllowRequestsReferred",
            "Effect": "Allow",
            "Principal": "*",
            "Action": ["s3:GetObject","s3:GetObjectAcl"],
            "Resource": "arn:aws:s3:::example/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://www.example.com/*",
                        "https://example.com/*",
                        "https://example.herokuapp.com/*",
                        "https://dfgdsfgdfg.cloudfront.net/*"
                    ]
                },
                "IpAddress": {
                    "aws:SourceIp": "219.77.225.296"
                }
            }
        },
        {
            "Sid": "DenyRequestsReferred",
            "Effect": "Deny",
            "NotPrincipal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": ["s3:GetObject","s3:GetObjectAcl"],
            "Resource": "arn:aws:s3:::example/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "https://www.example.com/*",
                        "https://example.com/*",
                        "https://example.herokuapp.com/*",
                        "https://dfgdsfgdfg.cloudfront.net/*"
                    ]
                },
                "NotIpAddress": {
                    "aws:SourceIp": "219.77.225.296"
                }
            }
        }

    ]
}

What have I written wrong?

1 answers

solution1
 0  2018-08-03 02:32:10

Your policy says:

ALLOW GetObject access from an (invalid) IP address if the request was referred from certain websites.

DENY GetObject access if the request is not from Lambda and is not an (invalid) IP address and was not referred from certain websites.

So, the first thing is that IpAddress needs to be in CIDR notation, so you should use: 

"aws:SourceIp": "219.77.225.296/32"

Second, there is nothing in this policy that is granting access to the Lambda function (since it is not on the IP address in the ALLOW statement). Also, your method of granting access looks unlikely to work. I would recommend granting access to the IAM Role being used by the Lambda function .

I would suggest you only create ALLOW statements, and give access to each source independently. If you want to grant access based on referer OR IpAddress OR Lambda, you'd need:

  • ALLOW based on referer
  • ALLOW based on IpAddress
  • ALLOW based on Lambda (You'll need to do this by permitting access from the IAM Role used by the Lambda function)

Only use DENY if you need to override a permission that was previously granted via ALLOW. It is best to avoid DENY if possible, to keep things easier to understand.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question aws s3 bucket policy AWS S3 bucket policy AWS S3: user policy for specifc bucket AWS S3 Bucket Policy security AWS S3 Bucket policy Access Denyed AWS S3 bucket policy with condition AWS S3 Bucket Policy - Principle Syntax AWS S3 bucket organization access policy AWS S3 bucket policy to for federated user AWS: S3 bucket policy with Textraxt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM