[AWS] S3 #02 バケットポリシー(取得の制御)

 S3 Security
2013.06.13

バケット内のすべてのオブジェクトの「取得」を許可するには

 

Fire buckets Fire buckets / ross_hawkes

 

Condition > IpAddress > aws:SourceIpに、すべての接続元を示す0.0.0.0/0を指定します。
(Resourceはご自身の管理するバケット名を指示するArnに要変更)

{
    "Version": "2008-10-17",
    "Id": "S3BucketPolicy",
    "Statement": [
        {
            "Sid": "AllowToGetByIP",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::your.backet.name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "0.0.0.0/0"
                }
            }
        }
    ]
}

Condition > IpAddress > aws:SourceIpに、0.0.0.0/0以外のCIDRを指定すれば
超絶簡単IPアドレス制約。

{
    "Version": "2008-10-17",
    "Id": "S3BucketPolicy",
    "Statement": [
        {
            "Sid": "AllowToGetByIP",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::your.backet.name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.168.0.0/16"
                }
            }
        }
    ]
}

リファラで制約を与えるには、

{
    "Version": "2008-10-17",
    "Id": "S3BucketPolicy",
    "Statement": [
        {
            "Sid": "AllowToGetByReferer",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your.backet.name/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://yourdomain.com/css/*",
                        "http://yourdomain.com/*"
                    ]
                }
            }
        }
    ]
}

こんな感じ。簡単。