[英]AWS Bucket Policy to Allow Lambda but block all other external IPs
[英]Allow lambda function to access S3 bucket but block external IPs
我試圖在 lambda function 的幫助下寫入 S3 存儲桶,但希望 S3 存儲桶只能訪問辦公室網絡內的 IP。
I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.
如何更改此存儲桶策略,使其允許 lambda 寫入但不允許外部 IPS 訪問 S3 存儲桶?
謝謝!
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket.net/*",
"Condition": {
"StringEquals": {
"aws:Referer": "230513111850"
}
}
},
{
"Sid": "AllowECSPuts",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::mybucket.net/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::abc.net/*",
"arn:aws:s3:::abc.net"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAJIS5E4JXTWB4RTX3I:*",
"230513111751"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"81.111.111.111/24" --dummy IP
]
}
}
}
]
}
作為一般規則,如果您可以避免策略中的Deny
語句,它會使生活更輕松。
因此,您可以配置:
由於默認情況下拒絕訪問,因此存儲桶策略中應該不需要Deny
語句。
一種典型的方法是將 lambda function 放置在私有 VPC 子網中。 然后將 S3 網關 VPC 終端節點附加到它,並將相應的 S3 存儲桶策略設置為僅允許從 VPC 終端節點執行的某些操作。 [ 參考]
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.