I want to restrict the bucket access write/read only to a ECS and certain IP(231.12.12.XX) address. (S3 accept the requests only from ECS and a certain address)
Then, I am editing the S3 bucket policy on console, but it is a bit confused.
AddStatement-> Action S3 -> All Actions(s3:*)
Add resource -> select s3 bucket
then this is composed.
{
"Sid": "Statement1",
"Principal": {},
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::wb-bucket-stag"
]
}
but,, where can I write the setting of restriction?
My idea which making restriction with policy statement is wrong?
My current statement is here.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::wb-bucket-stag/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::211111111111:role/wb-stag-ecs-stack-CustomS3AutoDeleteObjectsCustomR-1P8P3OTZHDO4Z"
},
"Action": [
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::wb-bucket-stag",
"arn:aws:s3:::wb-bucket-stag/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::wb-bucket-stag/*"
}
]
}
CodePudding user response:
How to make a bucket policy with ip address restrictions is explained in
Specifically, the following condition can be added, e.g.:
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
"22.22.22.22/32"
]
}
},