Amazon web services S3 Bucket策略帮助需要额外将一个文件限制为特定IP

根据下面给出的存储桶策略，我已将整个存储桶的读取权限限制为特定IP，例如

1.1.1.0

&

2.2.2.0

里面有一个文件，

s3://MYBUCKET/onefile.txt

，我想给它另一组IP读访问权限，例如

3.3.3.0

和

4.4.4.0

。因此，现在只能通过

3.3.3.0

和

4.4.4.0

访问

onefile.txt

，而不能通过

1.1.0

和

2.2.2.0

或任何其他方式访问

我怎样才能做到这一点

当前权限>存储桶策略（例如）

---

除了策略中的现有语句之外，还为该文件

onefile.txt

添加显式拒绝和允许语句

更新的bucket策略如下所示：

{
    "Version": "2012-10-17",
    "Id": "http referer policy",
    "Statement": [
        {
            "Sid": "MY RESTRICTED REQUESTS",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.0/20",
                        "2.2.2.0/22"
                    ]
                }
            }
        },
        {
            "Sid": "MY RESTRICTED REQUESTS_1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "3.3.3.0/20",
                        "4.4.4.0/22"
                    ]
                }
            }
        },
        {
            "Sid": "MY RESTRICTED REQUESTS_2",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.0/20",
                        "2.2.2.0/22"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Id": "http referer policy",
    "Statement": [
        {
            "Sid": "MY RESTRICTED REQUESTS",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.0/20",
                        "2.2.2.0/22"
                    ]
                }
            }
        },
        {
            "Sid": "MY RESTRICTED REQUESTS_1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "3.3.3.0/20",
                        "4.4.4.0/22"
                    ]
                }
            }
        },
        {
            "Sid": "MY RESTRICTED REQUESTS_2",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "1.1.1.0/20",
                        "2.2.2.0/22"
                    ]
                }
            }
        }
    ]
}