search
cegedim.cloudITCareAPI

Manage Bucket access

If you want to control network accesses on objects in a Bucket, you will have to create a Bucket Policy using aws:SourceIp condition.

circle-info

We use aws s3 and awss3api command line tools from AWSCLIv2 on Linux.

${S3_ENDPOINT} and ${S3_PROFILE} are environment variables.

Create a file with the following bucket policy:

{
  "Version": "2012-10-17",
  "Id": "OnlyInternal",
  "Statement": [
    {
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "192.168.0.0/16"
          ]
        }
      },
      "Action": "s3:*",
      "Resource": [
        "<bucket>/*",
        "<bucket>"
      ],
      "Effect": "Deny",
      "Principal": "*",
      "Sid": "BlockExternal"
    }
  ]
}

This will :

  • Deny all operations from requests where the IP source address doesn't come from networks others that 10.0.0.0/8 and 192.168.0.0/16

Change <bucket> by your bucket name.

For a complete documentation about Bucket Policy, please refer to Bucket Policies.

circle-info

cegedim.cloud Object Storage service is a compatible S3 service. Some specific AWS features are not supported.

hashtag
CIDR notation

With the aws:SourceIp condition, supports IPV4 addresses or IPV4 address ranges. IPV6 addresses are not supported.

When aws:SourceIp is a complete network (e.g. 10.0.0.0), you must specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Example:

  • 10.0.0.0/8

  • 192.168.0.0/16

  • 10.45.2.0/24

When aws:SourceIp is an IP address (e.g. 98.2.3.123), do not specify the subnet mask in CIDR (Classless Inter-Domain Routing) format.

Examples:

  • 98.2.3.123

  • 192.168.1.23

  • 10.45.2.67

Put the the policy on your Bucket:

Check if the policy is correctly set:

PreviousManage versioning in BucketNextOverDrive

Last updated