我有一个私人s3水桶。我试图通过授权访问它。我只是通过使用AWS-SDK为存储桶中的每个对象生成预先签名的URL来实现这一点,这根本不可行。 此外,我已尝试配置存储桶策略并仅将预留权仅限于特定范围的ips,但它不起作用。我怎么能看到那里有什么问题? 您认为访问私有桶的最佳方法是什么?我有点困惑。
policy:
{
"Version": "2008-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "public/private IP of ec2 instance/32"
}
}
},
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "myIPAddress/32"
}
}
}
]
}
答案 0 :(得分:2)
我认为默认情况下,除非通过政策授予帐户访问权限,否则会限制访问S3。但是,S3默认设计为允许任何IP地址访问。因此,要阻止IP,您必须在策略中明确指定拒绝而不是允许。
你应该改变策略,只允许从我的IP地址访问,拒绝来自任何不是我的IP地址的访问。
所以我认为你可能会使用这个:
{
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::: bucketname",
"Condition": {
"IpAddress": {
"aws:SourceIp": "CIDR Of Allowed IP"
}
}
}
]
你应该试试这个:
{
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::: bucket name*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "CIDR Of Allowed IP"
}
}
}
]
我希望这有助于