[英]How can I add whitelisted Ips to Bucket Policy with aws:Referer information
我需要將一個IP列入白名單,以訪問我的s3存儲桶以處理存儲的信息。
我有一個當前的規則集,用於驗證網站的推薦地址(以下代碼)。 但是我不知道如何在策略中添加列入白名單的IP。 我努力了
"NotIpAddress": {
"aws:SourceIp": "xx.xx.xx.xxx/24"
}
帶有“效果”:“拒絕”,而相反的值則無濟於事。
{
"Version": "2008-10-17",
"Id": "",
"Statement": [
{
"Sid": "Allow in my domains",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::media.example.com/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"https://www.example.com/*"
]
}
}
},
{
"Sid": "Deny access if referer is not my sites",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::media.example.com/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://www.example.com/*",
"https://www.example.com/*"
]
}
}
}
]
}
結果是所有Ips都被列入了白名單,或者根本沒有任何作用。 我試圖通過專門使用AWS策略生成器代碼來查找可能的原因,但是它提供的任何功能似乎也不起作用。
要拒絕基於源IP地址的訪問,S3存儲桶策略必須像這樣
{
"Id": "Policy1563837124797",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllRequests",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name",
"Principal": "*"
},
{
"Sid": "DenyAllRequestsNotInRange",
"Effect": "Deny",
"Action": "s3:*",
"Principal": "*",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"54.240.196.190/24",
"54.0.0.0/8"
]
}
}
}
]
}
我剛剛在我的帳戶上對此進行了測試,它可以正常工作。 請注意,不需要aws:referer 。
從錯誤的IP范圍進行測試時:
$ aws s3 ls s3://bucket-name/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
從正確的IP范圍進行測試時:
$ aws s3 ls s3://bucket-name/
2019-02-18 07:54:47 387 0ca4a0d1efdf43806aef1639f3c9e84c
2019-02-18 08:21:44 820 22a18723beb52f0ab67361545bbda1f3
2019-02-18 08:21:44 1281 62beb9d975ad0dfa3a945ee158f6e98c
2019-02-18 08:18:23 1231 ca03658513073f0a7a5538e8b3c63464
2019-02-18 07:54:48 6196 d405871de8daa2a9fae3808bbeb5cfb2
Amazon AWS存儲桶策略-Safari瀏覽器不發送引用信息
[英]Amazon AWS bucket policy - Safari browser not sending referer information
AWS 存儲桶策略允許 Lambda 但阻止所有其他外部 IP
[英]AWS Bucket Policy to Allow Lambda but block all other external IPs
如何將 IP 限制添加到已經有用戶限制的 s3 存儲桶(在存儲桶策略中)
[英]How can I add IP restrictions to s3 bucket(in the bucket Policy) already having a User restriction
如何使用對流層將 OriginAccessIdentity 添加到 AWS S3 存儲桶策略
[英]How to add OriginAccessIdentity to AWS S3 Bucket Policy using troposphere
來自 URL referer 的 AWS S3 Bucket 策略/訪問 - 訪問被拒絕
[英]AWS S3 Bucket policy/access from URL referer - access denied
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.