我試圖使用S3存儲作爲一個簡單的虛擬主機,但是想要把它背後的反向代理能夠分層一些必要的安全控制措施。AWS桶政策的反向代理
我有,我想限制對S3的Web訪問的反向代理相關的IP地址。當我在存儲桶策略中應用基於IP的限制時,雖然它似乎使帳戶中的管理交互非常難以阻止。
我想不會破壞通過控制檯/ IAM用戶/聯合角色從帳戶中訪問,但啓用HTTP訪問S3網站只是反向代理相關的IP地址。
對什麼是需要啓用Web訪問表明,我需要這個政策聲明,所以我已經包括它開始與AWS文檔。
{
"Id": "S3_Policy",
"Statement": [
{
"Sid": "AllowWebAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
然後我想限制網絡流量到一組特定的IP,所以我添加了這個語句。
{
"Id": "S3_Policy",
"Statement": [
{
"Sid": "AllowWebAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Sid": "DenyNonProxyWebAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"99.99.99.1/32",
"99.99.99.2/32",
"99.99.99.3/32",
"99.99.99.4/32",
"99.99.99.5/32"
]
}
}
}
]
}
這種拒絕策略具有阻止我從與IAM用戶訪問我的帳戶內的能力的意想不到的後果或聯合承擔的角色,所以我增加了一個明確允許這些資源。如果可能的話,我想只是爲了「賬戶」而放置一個毯子。這讓我有了這個政策,而且這似乎並不符合我的願望。我似乎無法將其作爲我的用戶進行管理,也無法從代理訪問網絡內容。
{
"Id": "S3_Policy",
"Statement": [
{
"Sid": "AllowWebAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Sid": "DenyNonProxyWebAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"99.99.99.1/32",
"99.99.99.2/32",
"99.99.99.3/32",
"99.99.99.4/32",
"99.99.99.5/32"
]
}
}
},
{
"Sid": "AllowAccountUsersAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:IAM::999999999999:user/[email protected]",
"arn:aws:IAM::999999999999:user/[email protected]",
"999999999999"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::my bucket"
]
}
]
}
有沒有辦法有一個S3存儲是僅限於選擇的IP範圍的網絡訪問,而無需中斷從賬戶管理桶本身的能力的靜態虛擬主機?