[英]Why my AWS S3 policy will not restrict access for only certain IP addresses?
我正在努力在 AWS 中创建 S3 策略。 S3 存储一个 mp4 视频。 我已经根据用户名或密码启动了访问,但是当我尝试限制 IP 访问时(只想让这个视频从某个 IP 地址访问,只有我的家庭和办公室 IP 地址)。
我使用了 myipaddress.com 并在 cmd 中查找了“IPconfig”功能以得出子网掩码代码(/19,但有些使用 /32、/24 等),但是当我使用另一个 ZA12A3079E14CED46E69BA2 时,它允许使用另一个 ZA12A3079E14CED46E69BA2 . 换句话说,任何观看此视频的人都无法限制访问。 以下是政策代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:GetStorageLensConfigurationTagging",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:DeleteJobTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:PutAccessPointPolicy",
"s3:GetStorageLensDashboard",
"s3:CreateAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:DeleteBucketOwnershipControls",
"s3:GetAccessPointPolicyStatus",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:PutMetricsConfiguration",
"s3:PutStorageLensConfigurationTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectVersionTagging",
"s3:PutJobTagging",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:BypassGovernanceRetention",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetStorageLensConfiguration",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
}
]
}
任何人都可以查看此视频,我无法限制访问。
这不是它的工作方式。 您的策略是 IAM 策略,而不是存储桶策略。 这意味着只有您启用了明确允许的 IAM 用户和角色才能访问视频。 您的政策不允许匿名访问。
此外,您的拒绝将仅适用于来自96.70.32.38/19地址的请求。 如果您要使用不同的 IP,则该策略不适用。 要拒绝适用于所有其他 IP 地址,除了您自己的地址,您需要NotIpAddress ,而不是IpAddress在Condition中,如AWS docs中所述。 此外,您的第一条语句将仅适用于bucket ,而不适用于它的对象。 对于您需要的对象和存储桶:
"Resource": [
"arn:aws:s3:::internshipbucket12",
"arn:aws:s3:::internshipbucket12/*",
]
此外,默认情况下存储桶和对象是私有的。 因此,您无需使用带有明确拒绝的 IAM 策略。 默认情况下,没有人可以访问存储桶及其内容,除非您作为管理员在策略中允许这样做。
如何将我的 S3 web 站点的访问限制为特定域或 IP 地址?
[英]How do I restrict access of my S3 web site to specific domains or IP addresses?
用于限制对 Cloudflare IP 地址访问的 S3 存储桶策略
[英]S3 Bucket Policy for Limiting Access to Cloudflare IP Addresses
限制用户仅列出存储桶中的某些文件夹的 AWS S3 策略
[英]AWS S3 Policy to Restrict User to List Only Certain Folders in a Bucket
AWS S3 和 IAM - 定义用户只能访问(读取)某些文件夹的策略
[英]AWS S3 & IAM - Define policy where user have only access (read) to certain folders
对于 AWS s3,如何动态限制 IP 地址并在 24 小时后释放它们?
[英]How can I restrict IP addresses dynamically and release them after 24hrs for AWS s3?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.