Saturday, 9 September 2023

AWS S3 bucket access to specific IP

 

AWS S3 bucket access to specific IP

 

Secure AWS S3 bucket access to specific IP address.


Learning Objectives:

  • Ensure Bucket security by allowing only known specific address to access the contents. This can be extended to allow specific range of IP addresses.

  • Learn application of resource based policies with conditional access.


Step 1: In AWS Console go to S3 service. Click on Create bucket.

In the new window under General Configuration provide Bucket name. We use bucketforpolicy258 as bucket name for this document.

Scroll down and uncheck Block all public access.

Check the acknowledgement of these settings.

Scroll to end of page and click on Create bucket.

Check the bucket is created.


Step 2: Click on the bucket and go to Objects Tab. Click on Add Files and add 2 images to the bucket.

Acknowledge the disabled versioning and click on Upload at the end of page.


Step 3: Go back to bucket level and click on Permissions Tab.

Scroll down to Bucket policy and click on Edit.

In the new window first copy the Bucket ARN and then click on Policy Generator.

In AWS Policy Generator provide the following values:

Select type of Policy: S3 Bucket Policy

Effect: Allow

Principal: * (asterix that signifies all)

Actions: GetObject

ARN: arn:aws:s3:::bucketforpolicy258/*(replace this with your copied arn along with /*)

Click on Add Conditions(Optional) and provide following values:

Condition: IpAddress

Key: aws:SourceIp

Value: (your IP address)

In order to know your IP address use the following URL: https://www.whatismyip.com/

Click on Add Condition.

Click on Add Statement.

Scroll down and click on Generate Policy.

Copy the policy from the Policy JSON Document pop-up window.

Go back to Edit Bucket Policy and paste the JSON code in Policy window.

Click on Save changes.


Step 4: Go back to bucket and test access from your IP address.

Click on any one of the images, copy the URL. Run the URL. This will display the image.

Run it using a different network(different Internet Service Provider). It would give an error.

Thus a specific IP access is established.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)