2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
You can use a bucket policy to specify which IP can access an S3 bucket. Please see a detailed blog with some samples: https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
답변함 일 년 전
0
When a user uses a S3 pre-signed URL, the credentials and permissions of the creator of the URL are used to access the object. So, if you want to restrict the PUT of the object to a specific IP address you use a policy like this, attached to the role/user that creates the presigned URL.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1670849877919",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.45/32"
}
}
}
]
}
You can also attach a bucket policy to the bucket and denies all other requests to lock down the bucket to only this source IP.
{
"Id": "Policy1670850160564",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1670850159333",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "192.168.1.45/32"
}
},
"Principal": "*"
}
]
}
Hi, wanted to know how to secure the uploads using AWS post policy and make a signed policy usable once, and by specific user only.
You can use presigned URLs to accomplish that. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html