Manage Bucket access

If you want to control network accesses on objects in a Bucket, you will have to create a Bucket Policy using aws:SourceIp condition.

We use aws s3 and awss3api command line tools from AWSCLIv2 on Linux.

${S3_ENDPOINT} and ${S3_PROFILE} are environment variables.

Create a file with the following bucket policy:

{
  "Version": "2012-10-17",
  "Id": "OnlyInternal",
  "Statement": [
    {
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "192.168.0.0/16"
          ]
        }
      },
      "Action": "s3:*",
      "Resource": [
        "<bucket>/*",
        "<bucket>"
      ],
      "Effect": "Deny",
      "Principal": "*",
      "Sid": "BlockExternal"
    }
  ]
}

This will :

Deny all operations from requests where the IP source address doesn't come from networks others that 10.0.0.0/8 and 192.168.0.0/16

Change <bucket> by your bucket name.

For a complete documentation about Bucket Policy, please refer to Bucket Policies.

cegedim.cloud Object Storage service is a compatible S3 service. Some specific AWS features are not supported.

CIDR notation

With the aws:SourceIp condition, supports IPV4 addresses or IPV4 address ranges. IPV6 addresses are not supported.

When aws:SourceIp is a complete network (e.g. 10.0.0.0), you must specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Example:

10.0.0.0/8
192.168.0.0/16
10.45.2.0/24

When aws:SourceIp is an IP address (e.g. 98.2.3.123), do not specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Examples:

98.2.3.123
192.168.1.23
10.45.2.67

Put the the policy on your Bucket:

aws s3api --endpoint=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://mypolicy.json --profile ${S3_PROFILE}

Check if the policy is correctly set:

aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}

PreviousManage versioning in Bucket NextOverDrive

Last updated 1 year ago

{ "Version": "2012-10-17", "Id": "OnlyInternal", "Statement": [ { "Condition": { "NotIpAddress": { "aws:SourceIp": [ "10.0.0.0/8", "192.168.0.0/16" ] } }, "Action": "s3:*", "Resource": [ "<bucket>/*", "<bucket>" ], "Effect": "Deny", "Principal": "*", "Sid": "BlockExternal" } ] }

CIDR notation

With the aws:SourceIp condition, supports IPV4 addresses or IPV4 address ranges. IPV6 addresses are not supported.

When aws:SourceIp is a complete network (e.g. 10.0.0.0), you must specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Example:

10.0.0.0/8

192.168.0.0/16

10.45.2.0/24

When aws:SourceIp is an IP address (e.g. 98.2.3.123), do not specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Examples:

98.2.3.123

192.168.1.23

10.45.2.67

Put the the policy on your Bucket:

aws s3api --endpoint=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://mypolicy.json --profile ${S3_PROFILE}

Check if the policy is correctly set:

aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}