Home > Mobile >  S3 bucket access restriction with bucket policy
S3 bucket access restriction with bucket policy

Time:08-18

I want to restrict the bucket access write/read only to a ECS and certain IP(231.12.12.XX) address. (S3 accept the requests only from ECS and a certain address)

Then, I am editing the S3 bucket policy on console, but it is a bit confused.

AddStatement-> Action S3 -> All Actions(s3:*)

Add resource -> select s3 bucket

then this is composed.

    {
        "Sid": "Statement1",
        "Principal": {},
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::wb-bucket-stag"
        ]
    }

but,, where can I write the setting of restriction?

My idea which making restriction with policy statement is wrong?

My current statement is here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::wb-bucket-stag/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::211111111111:role/wb-stag-ecs-stack-CustomS3AutoDeleteObjectsCustomR-1P8P3OTZHDO4Z"
            },
            "Action": [
                "s3:GetBucket*",
                "s3:List*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::wb-bucket-stag",
                "arn:aws:s3:::wb-bucket-stag/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::wb-bucket-stag/*"
        }
    ]
}

CodePudding user response:

How to make a bucket policy with ip address restrictions is explained in

Specifically, the following condition can be added, e.g.:

      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "11.11.11.11/32",
            "22.22.22.22/32"
          ]
        }
      },
  • Related