AWS S3存储桶策略 – 允许一系列IP地址

huangapple go评论69阅读模式
英文:

aws s3 bucket policy - allow range of ip addresses

问题

I am trying to allow access to a number of IPv4 IP addresses starting with 111.222 via a policy in AWS S3, I have tried all the following but unable to get it to work:

{
    "Version": "2012-10-17",
    "Id": "AllowAccess",
    "Statement": [
        {
            "Sid": "AddAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "111.222.0.0",
                        "111.222.*.*",
                        "111.222.."
                    ]
                }
            }
        }
    ]
}

Is it possible to do this? I want IP addresses such as 111.222.1.2 and 111.222.99.6 to have access.

The bucket is hosting a static website that doesn't allow public access.

If I put in the full IP address it works, e.g., 111.222.1.2, but there are hundreds of IP addresses, so I would like to use a wildcard.

英文:

I am trying to allow access to a number of ipv4 ip addresses starting with 111.222 via a policy in aws s3, I have tried all the following but unable to get it to work -


{
    "Version": "2012-10-17",
    "Id": "AllowAccess",
    "Statement": [
        {
            "Sid": "AddAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "111.222.0.0",
                        "111.222.*.*",
			"111.222.."
                    ]
                }
            }
        }
}

Is it possible to do this? I want ip addresses such as 111.222.1.2 and 111.222.99.6 to have access.

The bucket is hosting a static website that doesn't allow public access.

If I put in the full ip address it works e.g. - 111.222.1.2 but there are hundreds of ip addresses, so would like to use a wildcard.

答案1

得分: 1

你可以使用CIDR作为IP地址。

{
    "Version": "2012-10-17",
    "Id": "AllowAccess",
    "Statement": [
        {
            "Sid": "AddAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "111.222.0.0/16"
                    ]
                }
            }
        }
    ]
}
英文:

You can use CIDR as ip address.

{
    "Version": "2012-10-17",
    "Id": "AllowAccess",
    "Statement": [
        {
            "Sid": "AddAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "111.222.0.0/16"
                    ]
                }
            }
        }
}

答案2

得分: 0

以下是已翻译的内容:

此文档中,

IP地址条件运算符允许您构建条件元素,根据比较密钥与IPv4或IPv6地址或IP地址范围来限制访问。您将这些与aws:SourceIp密钥一起使用。该值必须采用标准的CIDR格式(例如,203.0.113.0/24或2001:DB8:1234:5678::/64)。如果您指定一个IP地址而没有关联的路由前缀,IAM将使用/32的默认前缀值。

在这些条件中不使用通配符,而是使用CIDR表示法。根据您所说的,您想要的通配符等效物似乎是111.222.*.*,其中*可以是0-255中的任何数字。这是CIDR111.222.0.0/16

英文:

From this doc,

> IP address condition operators let you construct Condition elements that restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. You use these with the aws:SourceIp key. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB8:1234:5678::/64). If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.

You don't use wildcards in these condtions, you use Cidr notation. From what you're saying, the wildcard equivalent of what you want seems to be 111.222.*.* where * can be any number 0-255. This is the CIDR 111.222.0.0/16.

huangapple
  • 本文由 发表于 2023年4月17日 23:01:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/76036555.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定