英文:
aws s3 bucket policy - allow range of ip addresses
问题
I am trying to allow access to a number of IPv4 IP addresses starting with 111.222 via a policy in AWS S3, I have tried all the following but unable to get it to work:
{
"Version": "2012-10-17",
"Id": "AllowAccess",
"Statement": [
{
"Sid": "AddAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"111.222.0.0",
"111.222.*.*",
"111.222.."
]
}
}
}
]
}
Is it possible to do this? I want IP addresses such as 111.222.1.2 and 111.222.99.6 to have access.
The bucket is hosting a static website that doesn't allow public access.
If I put in the full IP address it works, e.g., 111.222.1.2, but there are hundreds of IP addresses, so I would like to use a wildcard.
英文:
I am trying to allow access to a number of ipv4 ip addresses starting with 111.222 via a policy in aws s3, I have tried all the following but unable to get it to work -
{
"Version": "2012-10-17",
"Id": "AllowAccess",
"Statement": [
{
"Sid": "AddAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"111.222.0.0",
"111.222.*.*",
"111.222.."
]
}
}
}
}
Is it possible to do this? I want ip addresses such as 111.222.1.2 and 111.222.99.6 to have access.
The bucket is hosting a static website that doesn't allow public access.
If I put in the full ip address it works e.g. - 111.222.1.2 but there are hundreds of ip addresses, so would like to use a wildcard.
答案1
得分: 1
你可以使用CIDR作为IP地址。
{
"Version": "2012-10-17",
"Id": "AllowAccess",
"Statement": [
{
"Sid": "AddAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"111.222.0.0/16"
]
}
}
}
]
}
英文:
You can use CIDR as ip address.
{
"Version": "2012-10-17",
"Id": "AllowAccess",
"Statement": [
{
"Sid": "AddAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"111.222.0.0/16"
]
}
}
}
}
答案2
得分: 0
以下是已翻译的内容:
从此文档中,
IP地址条件运算符允许您构建条件元素,根据比较密钥与IPv4或IPv6地址或IP地址范围来限制访问。您将这些与
aws:SourceIp密钥一起使用。该值必须采用标准的CIDR格式(例如,203.0.113.0/24或2001:DB8:1234:5678::/64)。如果您指定一个IP地址而没有关联的路由前缀,IAM将使用/32的默认前缀值。
在这些条件中不使用通配符,而是使用CIDR表示法。根据您所说的,您想要的通配符等效物似乎是111.222.*.*,其中*可以是0-255中的任何数字。这是CIDR111.222.0.0/16。
英文:
From this doc,
> IP address condition operators let you construct Condition elements that restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. You use these with the aws:SourceIp key. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB8:1234:5678::/64). If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.
You don't use wildcards in these condtions, you use Cidr notation. From what you're saying, the wildcard equivalent of what you want seems to be 111.222.*.* where * can be any number 0-255. This is the CIDR 111.222.0.0/16.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论