受 IP 地址限制的 Amazon s3 预签名 URL [英] Amazon s3 Pre-signed URL restricted by IP address
问题描述
客户端应用程序请求 S3 的预签名 URL.目前我们限制 URL 的有效时间,但也希望将其限制为客户端的 IP 地址.
The client app requests a presigned URL for S3. Currently we limit the time the URL is valid but would like to also restrict it to the client's IP address.
是否可以创建仅限于特定 IP 地址的 S3 预签名 URL?
Is it possible to create a S3 presigned URL that is restricted to a specific IP address?
据我所知,只有 CloudFront 会让我这样做.
From what I can tell only CloudFront will let me do this.
推荐答案
是的!
首先,有必要解释一下预签名 URL 的概念.
First, it is worth explaining the concept of a Pre-Signed URL.
Amazon S3 中的对象默认是私有的.因此,如果有人试图在不提供凭据的情况下访问它,访问将被拒绝.
Objects in Amazon S3 are private by default. Therefore, if somebody tries to access it without providing credentials, access will be denied.
例如,这不适用于私有对象:
For example, this would not work for a private object:
https://my-bucket.s3.amazonaws.com/foo.json
要授予对象临时访问,可以生成预签名 URL.它看起来类似于:
To grant temporary access to the object, a Pre-signed URL can be generated. It looks similar to:
https://my-bucket.s3.amazonaws.com/x.json?AWSAccessKeyId=AKIAIVJQM12345CY3A3Q&Expires=1531965074&Signature=g7Jz%2B%2FYyqc%2FDeL1rzo7WM61RusM%3D
URL 表示我是*这个*特定的访问密钥,我授权临时访问直到*这个*时间,这是我计算的签名以证明它是我".
当使用预签名 URL 时,它临时使用签名实体的权限来获得对对象的访问权限.这意味着我可以为我被允许访问的对象生成一个有效的预签名 URL,但是如果我通常不被允许访问该对象,预签名 URL 将不起作用.
When the Pre-Signed URL is used, it temporarily uses the permissions of the signing entity to gain access to the object. This means that I can generate a valid pre-signed URL for an object that I am permitted to access, but the pre-signed URL will not work if I am not normally permitted to access the object.
因此,要创建仅限于特定 IP 地址的 S3 预签名 URL",您应该:
Therefore, to "create a S3 presigned URL that is restricted to a specific IP address", you should:
- 创建一个 IAM 实体(例如 IAM 用户),该实体可以访问具有 IP 地址限制的对象(或整个存储桶),以及
- 使用该实体生成预签名网址
- Create an IAM entity (eg IAM User) that has access to the object (or the whole bucket) with a IP address restriction, and
- Use that entity to generate the pre-signed URL
以下是 IAM 用户的示例策略:
Here is a sample policy for the IAM User:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.22.33.44/32"
}
}
}
]
}
结果将是一个预签名的 URL,该 URL 可以成功访问对象,但随后被 S3 拒绝,因为不满足 IP 地址限制.用户将收到访问被拒绝消息.
The result will be a pre-signed URL that works successfully to access the object, but is then rejected by S3 because the IP address restriction is not met. The user will receive an Access Denied message.
这篇关于受 IP 地址限制的 Amazon s3 预签名 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!