[英]Allow lambda function to access S3 bucket but block external IPs
我试图在 lambda function 的帮助下写入 S3 存储桶,但希望 S3 存储桶只能访问办公室网络内的 IP。
I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.
如何更改此存储桶策略,使其允许 lambda 写入但不允许外部 IPS 访问 S3 存储桶?
谢谢!
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket.net/*",
"Condition": {
"StringEquals": {
"aws:Referer": "230513111850"
}
}
},
{
"Sid": "AllowECSPuts",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::mybucket.net/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::abc.net/*",
"arn:aws:s3:::abc.net"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAJIS5E4JXTWB4RTX3I:*",
"230513111751"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"81.111.111.111/24" --dummy IP
]
}
}
}
]
}
作为一般规则,如果您可以避免策略中的Deny语句,它会使生活更轻松。
因此,您可以配置:
由于默认情况下拒绝访问,因此存储桶策略中应该不需要Deny语句。
一种典型的方法是将 lambda function 放置在私有 VPC 子网中。 然后将 S3 网关 VPC 终端节点附加到它,并将相应的 S3 存储桶策略设置为仅允许从 VPC 终端节点执行的某些操作。 [ 参考]
AWS 存储桶策略允许 Lambda 但阻止所有其他外部 IP
[英]AWS Bucket Policy to Allow Lambda but block all other external IPs
允许外部用户(通过 Cognito)访问 S3 存储桶和控制台
[英]Allow an external user (through Cognito) to access a S3 bucket and console
允许 CloudFront 访问 S3 源,同时还拥有 S3 存储桶 阻止所有公共访问?
[英]Allow CloudFront to access S3 origin while also having S3 bucket Block all public access?
AWS S3 存储桶:“阻止公共访问”和未指定“允许”的空白存储桶策略文件有什么区别?
[英]AWS S3 Bucket: what is the difference between "Block public access" and a blank Bucket policy file with no "allow" specified?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.