amazon-web-services - 为什么我的 AWS S3 策略不会仅限制某些 IP 地址的访问?
问题描述
我正在努力在 AWS 中创建 S3 策略。S3 存储一个 mp4 视频。我已经根据用户名或密码启动了访问,但是当我尝试限制 IP 访问时(只想让这个视频从某个 IP 地址访问,只有我的家庭和办公室 IP 地址)。
我使用 myipaddress.com 并在 cmd 中查找“IPconfig”功能以提供子网掩码代码(/19,但有些使用 /32、/24 等)但是当我使用另一个 IP 地址时,它允许使用视频. 换句话说,任何观看此视频的人都无法限制访问。以下是政策代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:GetStorageLensConfigurationTagging",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:DeleteJobTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:PutAccessPointPolicy",
"s3:GetStorageLensDashboard",
"s3:CreateAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:DeleteBucketOwnershipControls",
"s3:GetAccessPointPolicyStatus",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:PutMetricsConfiguration",
"s3:PutStorageLensConfigurationTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectVersionTagging",
"s3:PutJobTagging",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:BypassGovernanceRetention",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:GetStorageLensConfiguration",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:DeleteAccessPointPolicy",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "96.70.32.38/19"
}
}
}
]
}
解决方案
任何人都可以查看此视频,我无法限制访问。
这不是它的工作方式。您的策略是 IAM 策略,而不是存储桶策略。这意味着只有您启用了明确允许的 IAM 用户和角色才能访问视频。您的政策不允许匿名访问。
此外,您的拒绝将仅适用于来自地址的请求。96.70.32.38/19如果您要使用不同的 IP,则该策略不适用。要将拒绝应用于所有其他 IP 地址,除了您自己的,您需要NotIpAddress,而不是IpAddress在AWS 文档Condition中解释的那样。此外,您的第一条语句将仅适用于bucket,而不适用于它的对象。对于您需要的对象和存储桶:
"Resource": [
"arn:aws:s3:::internshipbucket12",
"arn:aws:s3:::internshipbucket12/*",
]
此外,默认情况下存储桶和对象 是私有的。因此,您无需使用带有明确拒绝的 IAM 策略。默认情况下,没有人可以访问存储桶及其内容,除非您作为管理员在策略中允许这样做。
推荐阅读
- reinforcement-learning - 运行“python 示例/rllib/traffic_light_grid.py”时出现 FLOW 错误
- node.js - 如何在生产中保护 mongoDB 连接
- python - 如何修复 Python 中的 Valueerror,在机器学习中进行缩放?
- flutter - Dart:获取列表 2 中元素的索引(列表 1 中的元素)
- string - 对多个字符串进行操作以产生一个字符串
- c# - INSERT 语句与 FOREIGN KEY 约束“tableConstraint”冲突
- r - 函数中使用的 R phyloseq tax_glom 给出错误
- mysql - 在 Where 子句中使用相乘的列
- c++ - 如何对二维向量进行排序
- c - 将 CURLcode res 转换为 char*