为什么我的 AWS S3 策略不会仅限制某些 IP 地址的访问?
Why my AWS S3 policy will not restrict access for only certain IP addresses?
我正在 AWS 中创建 S3 策略。 S3 存储 mp4 视频。我已经根据用户名或密码开始访问,但是当我尝试限制 IP 访问时(只想让这个视频从某些 IP 地址访问,只有我的家庭和办公室 IP 地址)。
我使用 myipaddress.com 并在 cmd 中查找“IPconfig”功能以得出子网掩码代码(/19,但有些使用 /32、/24 等)但是当我使用另一个 IP 地址时它允许使用视频。换句话说,任何人都可以观看此视频,而我无法限制访问。以下是策略代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:GetStorageLensConfigurationTagging",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:DeleteJobTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:PutAccessPointPolicy",
"s3:GetStorageLensDashboard",
"s3:CreateAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:DeleteBucketOwnershipControls",
"s3:GetAccessPointPolicyStatus",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:PutMetricsConfiguration",
"s3:PutStorageLensConfigurationTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectVersionTagging",
"s3:PutJobTagging",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:BypassGovernanceRetention",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetStorageLensConfiguration",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
}
]
}
anyone an view this video and I am unable to restrict access.
这不是它的工作原理。您的策略是 IAM 策略,而不是存储桶策略。这意味着只有您启用了明确允许的 IAM 用户和角色才能访问视频。您的策略不允许匿名访问。
此外,您的拒绝将仅适用于来自96.70.32.38/19
地址的 请求。如果您打算使用不同的 IP,则这些政策不适用。要拒绝应用于除您自己的所有其他 IP 地址,您需要 NotIpAddress
,而不是 Condition
中的 IpAddress
,如 AWS docs 中所述。此外,您的第一个语句将仅适用于 bucket,而不适用于其对象。对于对象和存储桶,您需要:
"Resource": [
"arn:aws:s3:::internshipbucket12",
"arn:aws:s3:::internshipbucket12/*",
]
此外,存储桶和对象 默认情况下是私有的 。因此,您无需使用明确拒绝的 IAM 策略。默认情况下,没有人可以访问存储桶及其内容,除非您作为管理员在策略中允许这样做。
我正在 AWS 中创建 S3 策略。 S3 存储 mp4 视频。我已经根据用户名或密码开始访问,但是当我尝试限制 IP 访问时(只想让这个视频从某些 IP 地址访问,只有我的家庭和办公室 IP 地址)。
我使用 myipaddress.com 并在 cmd 中查找“IPconfig”功能以得出子网掩码代码(/19,但有些使用 /32、/24 等)但是当我使用另一个 IP 地址时它允许使用视频。换句话说,任何人都可以观看此视频,而我无法限制访问。以下是策略代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:GetStorageLensConfigurationTagging",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:DeleteJobTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:PutAccessPointPolicy",
"s3:GetStorageLensDashboard",
"s3:CreateAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:DeleteBucketOwnershipControls",
"s3:GetAccessPointPolicyStatus",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:PutMetricsConfiguration",
"s3:PutStorageLensConfigurationTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectVersionTagging",
"s3:PutJobTagging",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:BypassGovernanceRetention",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetStorageLensConfiguration",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
}
]
}
anyone an view this video and I am unable to restrict access.
这不是它的工作原理。您的策略是 IAM 策略,而不是存储桶策略。这意味着只有您启用了明确允许的 IAM 用户和角色才能访问视频。您的策略不允许匿名访问。
此外,您的拒绝将仅适用于来自96.70.32.38/19
地址的 请求。如果您打算使用不同的 IP,则这些政策不适用。要拒绝应用于除您自己的所有其他 IP 地址,您需要 NotIpAddress
,而不是 Condition
中的 IpAddress
,如 AWS docs 中所述。此外,您的第一个语句将仅适用于 bucket,而不适用于其对象。对于对象和存储桶,您需要:
"Resource": [
"arn:aws:s3:::internshipbucket12",
"arn:aws:s3:::internshipbucket12/*",
]
此外,存储桶和对象 默认情况下是私有的 。因此,您无需使用明确拒绝的 IAM 策略。默认情况下,没有人可以访问存储桶及其内容,除非您作为管理员在策略中允许这样做。