将对S3的访问限制为特定的IP地址 [英] Restricting Access to S3 to a Specific IP Address

问题描述

我有一个从AWS S3文档中自定义的存储桶策略，而不是IP地址范围，而是仅更改了一个IP.值区名称是:www.joaquinamenabar.com.IP地址66.175.217.48对应于子域: https://letsdance.joaquinamenabar.com/

I have a bucket policy that I customized from the AWS S3 docs, instead of range of IP addresses, I changed it for just one IP. The bucket name is : www.joaquinamenabar.com. The IP address 66.175.217.48 corresponds to the sub-domain: https://letsdance.joaquinamenabar.com/

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::www.joaquinamenabar.com/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "66.175.217.48"},
         "NotIpAddress": {"aws:SourceIp": "66.175.217.48"} 
      } 
    } 
  ]
}

这些文件不公开.我使用aws-sdk生成链接，该链接会在一段时间后过期.问题是可以从任何IP访问链接.自从我更改配置以来已经过去了一个多星期.这些更改应该已经传播到这个时候了.您知道此配置有什么问题吗?

The files are not available for public. I generate links using aws-sdk that expires after some time. The problem is the link is accessible from any IP. It has been more than a week since I changed the configuration. The changes should have propagated by this time. Any ideas what is wrong with this configuration?

推荐答案

该策略的效果似乎是允许所有IP的访问(66.175.217.48而不是66.175.217.48).删除NotIpAddress说明符.我认为您可能还需要以CIDR格式指定允许的IP地址:

It looks like the effect of this policy is to allow access from all IP's (66.175.217.48 and not 66.175.217.48). Remove the NotIpAddress specifier. I think you may need to specify the allowed Ip address in CIDR format too:

"IpAddress": {"aws:SourceIp": "66.175.217.48/32"}

这篇关于将对S3的访问限制为特定的IP地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！