stackoom
  简体   繁体   中英

Allow lambda function to access S3 bucket but block external IPs

 原文  2020-05-11 02:49:00       amazon-web-services/ amazon-s3/ aws-lambda

Question

I am trying to write in a S3 bucket with the help of a lambda function but would like to have the S3 bucket accessible only to IPs inside office network.

I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.

How can i change this bucket policy so that it allows lambda to write but does not allow external IPS to access the S3 bucket?

Thanks!

{


"Version": "2012-10-17",

    "Id": "",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket.net/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "230513111850"
                }
            }
        },
        {
            "Sid": "AllowECSPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::mybucket.net/*"
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::abc.net/*",
                "arn:aws:s3:::abc.net"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAJIS5E4JXTWB4RTX3I:*",
                        "230513111751"
                    ]
                },
                "NotIpAddress": {
                    "aws:SourceIp": [
                      "81.111.111.111/24" --dummy IP
                    ]
                }
            }
        }

    ]
}

2 answers

solution1
 1 ACCPTED  2020-05-11 05:08:13

As a general rule, it makes life easier if you can avoid Deny statements in policies.

Therefore, you could configure:

  • An Amazon S3 bucket with a Bucket Policy that permits access from the desired CIDR range
  • An IAM Role for the Lambda function that permits access to the Amazon S3 bucket

There should be no need for a Deny statement in the bucket policy since access is denied by default.

solution2
 0  2020-05-11 03:00:30

One typical approach is to place the lambda function inside a private VPC subnet. Then attach an S3 gateway VPC endpoint to it and set the corresponding S3 bucket policy to only allow certain actions performed from the VPC endpoint. [ ref ]

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Bucket Policy to Allow Lambda but block all other external IPs Allow lambda to access particular s3 bucket in serverless config Allow an external user (through Cognito) to access a S3 bucket and console Allow CloudFront to access S3 origin while also having S3 bucket Block all public access? Restricting S3 bucket access to an AWS Lambda function How to access file in S3 bucket from lambda function Cannot access S3 bucket from Lambda function AWS S3 Bucket: what is the difference between "Block public access" and a blank Bucket policy file with no "allow" specified? Configuring AWS Lambda to access S3 Bucket CloudFormation Lambda S3 bucket access denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM