在Amazon S3的桶政策将两个条件 [英] joining two conditions in amazon s3 bucket policy

问题描述

说我有一样的情况，我想，如果请求不是来自这些IP [192.0.2.0/24","203.0.113.0/24"]如果请求没有在下列 [example1.com，example2.com] 则否认。我知道，单独我可以做这样的事情：

say I have a condition like where I want that if the request is not from these ips ["192.0.2.0/24","203.0.113.0/24"] and if the request doesn't have a referrer among the following [example1.com, example2.com ] then deny it. I know individually I can do something like this:

{
    "Sid": "6",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my_bucket/*",
    "Condition": {    
        "IpAddress":{
            "aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]
        }           
    }
}

{
    "Sid": "7",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::indeev5-dev-media/*/video/*",
    "Condition": {
        "StringNotLike": {
            "aws:Referer": [
                "http://example1.com/*",
                "http://example2.com/*",
            ]
        }
    }
}

但我怎么可以做一个的的和的here.Ie检查这两个条件在同一时间。我贴过一个问题，还挺有同样的最终目标，因此任何指针将pciated高度AP $ P $的这里。 总之就是我想要做的就是否认这是不从引用列表中，除了那些具从IP列表的所有请求。谢谢

but how can I do an "and" here.I.e check for both conditions at the same time. I had posted a question which kinda had the same end objective so any pointers would be highly appreciated here. In short what I want to do is deny all requests which are not from the referrer list except the ones which are from the ip list. Thanks

推荐答案

看来，你的逻辑的要求是：

It appears that your logic requirement is:

• 允许任何请求，其中的IP是在 [192.0.2.0/24，203.0.113.0/24]
• 允许任何请求，其中引用是 [http://example1.com/*，http://example2.com/*"]

• Allow any request where IP is in ["192.0.2.0/24","203.0.113.0/24"]
• Allow any request where referrer is in ["http://example1.com/*", "http://example2.com/*"]

所以，你可以将其设置为或，而不是而非，然后只使用allow而不能否定。这具有允许用户策略的工作（其可以通过使用DENY的覆盖）。

So, you could configure it as an OR rather than an AND NOT, and by only using ALLOW rather than DENY. This has the benefit of allowing User policies to work (which may be overridden by use of DENY).

该政策将分为两部分：

• 允许条件：{Ip地址：{AWS：SourceIp：192.0.2.0/24","203.0.113.0/24"]}}
• 允许条件：{弦乐器：{AWS：Referer的：http://example1.com/*","http://example2.com/* ，]}}

• ALLOW "Condition": {"IpAddress":{"aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]}}
• ALLOW "Condition": {"StringLike": {"aws:Referer": ["http://example1.com/*","http://example2.com/*",]}}

（我没有测试过这一点。）

(I have not tested this.)

这篇关于在Amazon S3的桶政策将两个条件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！