Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/14.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 为什么我的AWS S3策略不会仅限制某些IP地址的访问?_Amazon Web Services_Amazon S3_Networking_Aws Lambda_Ip - Fatal编程技术网
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 为什么我的AWS S3策略不会仅限制某些IP地址的访问?

Amazon web services 为什么我的AWS S3策略不会仅限制某些IP地址的访问?

amazon-web-services amazon-s3 networking aws-lambda ip

Amazon web services 为什么我的AWS S3策略不会仅限制某些IP地址的访问?,amazon-web-services,amazon-s3,networking,aws-lambda,ip,Amazon Web Services,Amazon S3,Networking,Aws Lambda,Ip,我正在AWS中创建S3策略。S3存储mp4视频。我已经根据用户名或密码启动了访问,但当我尝试限制IPs访问时(只希望从特定IP地址访问此视频,仅限于我的家庭和办公室IP地址) 我使用myipaddress.com并在cmd中查找“IPconfig”功能,得到子网掩码代码(/19,但有些使用/32、/24等),但当我使用另一个IP地址时,它允许使用视频。换句话说,任何人都可以观看此视频,我无法限制访问。以下是政策代码 { "Version": "201

我正在AWS中创建S3策略。S3存储mp4视频。我已经根据用户名或密码启动了访问,但当我尝试限制IPs访问时(只希望从特定IP地址访问此视频,仅限于我的家庭和办公室IP地址)

我使用myipaddress.com并在cmd中查找“IPconfig”功能,得到子网掩码代码(/19,但有些使用/32、/24等),但当我使用另一个IP地址时,它允许使用视频。换句话说,任何人都可以观看此视频,我无法限制访问。以下是政策代码

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Deny",
                "Action": [
                    "s3:PutAnalyticsConfiguration",
                    "s3:GetObjectVersionTagging",
                    "s3:DeleteAccessPoint",
                    "s3:CreateBucket",
                    "s3:GetStorageLensConfigurationTagging",
                    "s3:ReplicateObject",
                    "s3:GetObjectAcl",
                    "s3:GetBucketObjectLockConfiguration",
                    "s3:DeleteBucketWebsite",
                    "s3:DeleteJobTagging",
                    "s3:PutLifecycleConfiguration",
                    "s3:GetObjectVersionAcl",
                    "s3:PutBucketAcl",
                    "s3:PutObjectTagging",
                    "s3:DeleteObject",
                    "s3:DeleteObjectTagging",
                    "s3:GetBucketPolicyStatus",
                    "s3:GetObjectRetention",
                    "s3:GetBucketWebsite",
                    "s3:GetJobTagging",
                    "s3:DeleteStorageLensConfigurationTagging",
                    "s3:PutReplicationConfiguration",
                    "s3:DeleteObjectVersionTagging",
                    "s3:PutObjectLegalHold",
                    "s3:GetObjectLegalHold",
                    "s3:GetBucketNotification",
                    "s3:PutBucketCORS",
                    "s3:DeleteBucketPolicy",
                    "s3:GetReplicationConfiguration",
                    "s3:ListMultipartUploadParts",
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:PutBucketNotification",
                    "s3:DescribeJob",
                    "s3:PutBucketLogging",
                    "s3:PutObjectVersionAcl",
                    "s3:GetAnalyticsConfiguration",
                    "s3:PutBucketObjectLockConfiguration",
                    "s3:GetObjectVersionForReplication",
                    "s3:PutAccessPointPolicy",
                    "s3:GetStorageLensDashboard",
                    "s3:CreateAccessPoint",
                    "s3:GetLifecycleConfiguration",
                    "s3:GetInventoryConfiguration",
                    "s3:GetBucketTagging",
                    "s3:PutAccelerateConfiguration",
                    "s3:DeleteObjectVersion",
                    "s3:GetBucketLogging",
                    "s3:ListBucketVersions",
                    "s3:ReplicateTags",
                    "s3:RestoreObject",
                    "s3:ListBucket",
                    "s3:GetAccelerateConfiguration",
                    "s3:GetBucketPolicy",
                    "s3:PutEncryptionConfiguration",
                    "s3:GetEncryptionConfiguration",
                    "s3:GetObjectVersionTorrent",
                    "s3:AbortMultipartUpload",
                    "s3:PutBucketTagging",
                    "s3:GetBucketRequestPayment",
                    "s3:DeleteBucketOwnershipControls",
                    "s3:GetAccessPointPolicyStatus",
                    "s3:UpdateJobPriority",
                    "s3:GetObjectTagging",
                    "s3:GetMetricsConfiguration",
                    "s3:GetBucketOwnershipControls",
                    "s3:DeleteBucket",
                    "s3:PutBucketVersioning",
                    "s3:PutObjectAcl",
                    "s3:GetBucketPublicAccessBlock",
                    "s3:ListBucketMultipartUploads",
                    "s3:PutBucketPublicAccessBlock",
                    "s3:PutMetricsConfiguration",
                    "s3:PutStorageLensConfigurationTagging",
                    "s3:PutBucketOwnershipControls",
                    "s3:PutObjectVersionTagging",
                    "s3:PutJobTagging",
                    "s3:UpdateJobStatus",
                    "s3:GetBucketVersioning",
                    "s3:GetBucketAcl",
                    "s3:BypassGovernanceRetention",
                    "s3:PutInventoryConfiguration",
                    "s3:GetObjectTorrent",
                    "s3:ObjectOwnerOverrideToBucketOwner",
                    "s3:GetStorageLensConfiguration",
                    "s3:DeleteStorageLensConfiguration",
                    "s3:PutBucketWebsite",
                    "s3:PutBucketRequestPayment",
                    "s3:PutObjectRetention",
                    "s3:GetBucketCORS",
                    "s3:PutBucketPolicy",
                    "s3:DeleteAccessPointPolicy",
                    "s3:GetBucketLocation",
                    "s3:GetAccessPointPolicy",
                    "s3:ReplicateDelete",
                    "s3:GetObjectVersion"
                ],
                "Resource": "arn:aws:s3:::internshipbucket12",
                "Condition": {
                    "IpAddress": {
                        "aws:SourceIp": "96.70.32.38/19"
                    }
                }
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Deny",
                "Action": [
                    "s3:ListStorageLensConfigurations",
                    "s3:GetAccessPoint",
                    "s3:PutAccountPublicAccessBlock",
                    "s3:GetAccountPublicAccessBlock",
                    "s3:ListAllMyBuckets",
                    "s3:ListAccessPoints",
                    "s3:ListJobs",
                    "s3:PutStorageLensConfiguration",
                    "s3:CreateJob"
                ],
                "Resource": "*",
                "Condition": {
                    "IpAddress": {
                        "aws:SourceIp": "96.70.32.38/19"
                    }
                }
            }
        ]
}
任何人观看此视频,我无法限制访问

这不是它的工作原理。您的策略是IAM策略,而不是bucket策略。这意味着只有启用了显式允许的IAM用户和角色才能访问视频。您的策略不允许匿名访问

此外,您的拒绝将仅适用于来自
96.70.32.38/19
地址的请求。如果要使用不同的IP,则策略不适用。要拒绝应用于除您自己的IP地址以外的所有其他IP地址,您需要
NotIpAddress
,而不是
条件下的
IpAddress
,如中所述。此外,您的第一条语句将仅应用于bucket,而不是其对象。对于对象和存储桶,您需要:


 "Resource": [
      "arn:aws:s3:::internshipbucket12",
      "arn:aws:s3:::internshipbucket12/*",
  ]


此外,默认情况下,存储桶和对象是私有的。因此,您不需要将IAM策略用于显式拒绝。默认情况下,任何人都无法访问bucket及其内容,除非您作为管理员在策略中允许这样做