- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
You can try the aws:SourceVpc
condition of IAM Policy document.
Check the details from the documentation! :)
Good idea! Thank you however it requires that the in-VPC service on the other side. Non-VPC Lambda for example, will not be able to access the data. In the meanwhile, pretty good workaround! Thank you.
Hello
Yes you can do that, Please follow the AWS Support Blog https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
Thank You GK
Thank you for your comment. Unfortunately either of suggested restrictions doesn't solves the issue.
- VPC endpoint service with our partners will cause per GB charge.
- Not all partners are ready to setup a NAT with static IP. Again because of per GB price.
In our case we are talking about hundreds of terabytes per month so we are really sensitive in this questions.
As it is written here https://aws.amazon.com/s3/pricing/
You pay for all bandwidth into and out of Amazon S3, except for the following:
... Data transferred from an Amazon S3 bucket to any AWS service(s) within the same AWS Region as the S3 bucket (including to a different account in the same AWS Region) ....
So my question is how to put exactly this statement into policy condition.
You could write a bucket policy that uses the SourceIP condition and limits it to EC2 CIDR address for your region.
curl https://ip-ranges.amazonaws.com/ip-ranges.json > ip-ranges.json
jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
Hmm... It seams like I can't use s3:LocationConstraint for GetObject. It is written in documentation: "Not all conditions make sense for all actions. For example, it makes sense to include an s3:LocationConstraint condition on a policy that grants the s3:CreateBucket Amazon S3 permission. However, it does not make sense to include this condition on a policy that grants the s3:GetObject permission."
Is there any other way to limit readings from specific region?