Thursday, 6 May 2021

deny and allow access to s3 bucket

 https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html



{ "Id":"PolicyId2", "Version":"2012-10-17", "Statement":[ { "Sid":"AllowIPmix", "Effect":"Allow", "Principal":"*", "Action":"s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "IpAddress": { "aws:SourceIp": [ "54.240.143.0/24", "2001:DB8:1234:5678::/64" ] }, "NotIpAddress": { "aws:SourceIp": [ "54.240.143.128/30", "2001:DB8:1234:5678:ABCD::/80" ] } } } ] }


https://s3tools.org/kb/item10.htm



How to restrict access to a bucket to specific IP addresses

To secure our files on Amazon S3, we can restrict access to a S3 bucket to specific IP addresses.

The following bucket policy grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyIPRestrict",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "192.168.143.0/24"
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "192.168.143.188/32"
                }
            }
        }
    ]
}

The IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt

Posted by at No comments:

Tuesday, 4 May 2021

access S3 bucket without access key and secrete key

 https://stackoverflow.com/questions/44062813/aws-s3-upload-without-access-and-secret-key-in-java

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
              .withCredentials(new InstanceProfileCredentialsProvider(false))
              .build();

https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_provider.html
https://stackoverflow.com/questions/52286306/using-ec2-metadata-credentials-in-the-laravel-filesystem
Posted by at No comments:
Subscribe to: Posts (Atom)