限制访问S3上托管的网站 [英] Restrict access to website hosted on S3

问题描述

我想在Amazon S3上托管一个静态网站，但我需要将访问权限限制为某些用户.这可以通过ip地址或通过Amazon凭据(只有登录的用户才能访问存储桶的内容.

I would like to host a static website at amazon S3, but I need to restrict access to it to certain users. This maybe by ip address or by amazon credentials (only logged in users can access the bucket's content.

这可能吗?

谢谢

推荐答案

是的，确实有可能.为您提供更好的起点，请阅读 S3访问控制.

Yes it indeed is possible. Better starting point for you would be read S3 access control.

但是默认情况下，在S3上创建的存储桶不是公开的.因此，默认行为应该是只有知道您的访问权限和密钥的个人/程序才能访问它.

But by default the buckets created on S3 aren't public. So the default behaviour should be that it will only be accessible to person/program who/which has knowledge of your access and secret key.

您也可以编辑存储桶权限，以便给予访问特定的AWS账户或电子邮件ID.

You may also edit bucket permission in order to give access to a particular AWS account or an email id.

为了限制对某些IP的访问，您可以创建其他存储桶策略.

In order to restrict access to certain IPs, you may create additional bucket policy.

限制对特定IP地址的访问

此语句向任何用户授予执行任何S3操作的权限 在指定存储桶中的对象上.但是，该请求必须 源于条件中指定的IP地址范围. 此语句中的条件标识192.168.143.*的范围 允许的IP地址，但有一个例外，即192.168.143.188.

This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.

请注意，在 条件使用RFC 2632中描述的CIDR表示法.有关更多信息 信息，请访问 http://www.rfc-editor.org/rfc/rfc4632.txt .

Note that the IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "192.168.143.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "192.168.143.188/32" 
                } 
            } 
        } 
    ]
}

有关更多信息，请在此处和

For more, read here and here.

这篇关于限制访问S3上托管的网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！