How do I restrict S3 + Cloudfront staging server to specific IP?
Question
I am trying to setup my staging server to be served via S3 and cloudfront. Here is my bucket policy below.
a) If I access the S3 url directly, everything works fine.
b) If I access the cloudfront root domain, www.staging.example.com, everything works fine.
However, once I go to www.staging.example.com/login (or any non-root url), I get a 403 Forbidden AccessDenied error. How do I fix this?
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::staging-server/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"XXX",
"XXX",
]
}
}
}
]
}
1 answers
solution1
0 2020-04-27 20:08:26
If your intention is to serve the site via CloudFront only, then you should reconfigure the S3 bucket policy to allow access to the CloudFront Origin Access Identity of your CloudFront distribution, and remove all IP address conditions from the bucket policy.
To restrict access to the distribution to an IP whitelist, configure AWS WAF and an IPSet . Use WAF v2, not the original WAF.
On the non-root url question, do you actually have a document named login ?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.