限制对 S3 上托管的网站的访问 [英] Restrict access to website hosted on S3

问题描述

我想在 amazon S3 上托管一个静态网站，但我需要限制某些用户访问它.这可能是通过 IP 地址或亚马逊凭据(只有登录用户才能访问存储桶的内容.

I would like to host a static website at amazon S3, but I need to restrict access to it to certain users. This maybe by ip address or by amazon credentials (only logged in users can access the bucket's content.

这可能吗?

谢谢

推荐答案

是的，这确实是可能的.更好的起点是阅读 S3 访问控制.

Yes it indeed is possible. Better starting point for you would be read S3 access control.

但默认情况下，在 S3 上创建的存储桶不是公开的.因此，默认行为应该是只有知道您的访问和密钥的人/程序才能访问它.

But by default the buckets created on S3 aren't public. So the default behaviour should be that it will only be accessible to person/program who/which has knowledge of your access and secret key.

您还可以编辑存储桶权限，以便给予访问特定 AWS 帐户或电子邮件 ID.

You may also edit bucket permission in order to give access to a particular AWS account or an email id.

为了限制对某些 IP 的访问，您可以创建额外的存储桶策略.

In order to restrict access to certain IPs, you may create additional bucket policy.

限制对特定 IP 地址的访问

此语句授予任何用户执行任何 S3 操作的权限在指定存储桶中的对象上.但是，请求必须源自条件中指定的 IP 地址范围.此语句中的条件标识 192.168.143.* 范围允许的 IP 地址有一个例外，192.168.143.188.

This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.

请注意，IPAddress 和 NotIpAddress 值在条件使用 RFC 2632 中描述的 CIDR 表示法.有关更多信息信息，去http://www.rfc-editor.org/rfc/rfc4632.txt.

Note that the IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "192.168.143.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "192.168.143.188/32" 
                } 
            } 
        } 
    ]
}

有关更多信息，请阅读此处和此处.

For more, read here and here.

这篇关于限制对 S3 上托管的网站的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！