s3 策略允许在同一语句中使用多个 IP

Question

我正在尝试允许从 3 个指定的 IP 地址连接到存储桶。当我这样添加它们时：

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "ip1",
                    "aws:SourceIp": "ip2",
                    "aws:SourceIp": "ip3"
                }
            }
        }
    ]
}

保存后只保留三行中的一行，所以我只能设置一个IP。知道如何在不长时间添加新语句和解决方法的情况下做到这一点吗？

Answer 1

{
    "Version": "2008-10-17",
    "Id": "testPolicy",
    "Statement": [

        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/subfolder/subfolder2/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "xxx.xxx.xxx.xxx/32",
                        "xxx.xxx.xxx.xxx/32"
                    ]
                }
            }
        }

] }

Answer 2

您必须以子网的形式提供 IP，例如
错误：1.2.3.4
右：1.2.3.4/32

Answer 3

不强制为特定 IP 地址应用路由前缀。根据official AWS Documentation、

If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.

我最后测试了它，即使在 IP 地址后没有指定 /32 也能正常工作。

s3 策略允许在同一语句中使用多个 IP

s3 policy allow multiple IPs at the same statement

private

ip-address

amazon-s3

access-denied

amazon-web-services