授予无需凭证即可从特定IP访问AWS S3存储桶的权限 [英] Grant Access to AWS S3 bucket from specific IP without credentials

问题描述

我不想公开访问我的S3存储桶.但是我希望没有AWS CLI或任何凭证即可从我的本地组织网络访问它.我该如何实现?.

I do not want to make my S3 bucket publicly accessible. But I expect it to be accessible from my local organization network without the AWS CLI or any credentials. How can I achieve it?.

我尝试使用主体为*且源IP为组织网络的公共IP的存储桶策略.

I tried bucket policy with principal as * and source IP as the public IP of organization network.

推荐答案

如果打算授予对特定CIDR范围的匿名访问权限，同时还允许IAM策略向特定人员(例如管理员)授予其他访问权限，那么这不合适.

如果您要遵循

IF you were to follow the initial example laid out by the AWS documentation - you’ll end up with a policy that probably looks similar to this.

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "x.x.x.x/xx"
                }
            }
        }
    ]
}

几次敲打桌子后，您会发现该政策无效. S3存储桶似乎没有隐含的拒绝规则(类似于设置IAM访问策略的方式).

What you’re going to find, after banging your head on the table a few times, is that this policy does not work. There does not appear to be an implied deny rule with S3 buckets (similar to how IAM access policies are setup).

默认情况下，除非已通过策略为默认帐户授予访问权限，否则默认帐户无法访问S3. 但是，S3默认情况下被设计为允许任何IP地址访问.因此，要阻止IP，您必须在策略中明确指定拒绝，而不是允许.

By default accounts are restricted from accessing S3 unless they have been given access via policy. However, S3 is designed by default to allow any IP address access. So to block IP's you would have to specify denies explicitly in the policy instead of allows.

一旦您了解了这一点，该政策就很容易调整.您只需将策略从允许仅从我的IP地址访问到拒绝从任何不是我的IP地址的访问.

Once You learn this - the policy is easy to adjust. You just flipp around the policy from allowing access from only my IP address to denying access from everywhere that was NOT my IP address.

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "xxx.x.x/xx"
                }
            }
        }
    ] }

希望这会有所帮助！

这篇关于授予无需凭证即可从特定IP访问AWS S3存储桶的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！