How can I restrict IP addresses dynamically and release them after 24hrs?

Question

I want to restrict the IP address for some hours(say 24 hrs), for those who query to my AWS s3  bucket(public read only) for more than 100/second. As they might be spam and wanted to harm my business by increasing traffic and raising my AWS costing. So far I have not found any policy example to perform this. How can I restrict these type of IP addresses dynamically and release them after 24hrs?

Answer

Unfortunately there isn't an easy one click option afaik - One way I can think of this could be achieved is you would need to enable [server access logs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) for your s3 bucket - this would contain the source request information you require.

You would then need to process these logs. You could use lambda to send the data to a log aggregation service like Opensearch where you can perform the processing and take action - see this [blog](https://aws.amazon.com/blogs/big-data/analyzing-amazon-s3-server-access-logs-using-amazon-opensearch-service/). Another option is have a step function run on a schedule to use [Athena](https://aws.amazon.com/premiumsupport/knowledge-center/analyze-logs-athena/) to query the logs and take action (update your bucket policy to block). The main difference between these two options is how real time you need to process the logs and put the block in place

Answer

Another approach is to front the bucket with CloudFront and dynamically update a WAF ACL with a deny list. You could send the CloudFront logs to S3 and use Athena to query. This has the added benefit of not having a public bucket.

How can I restrict IP addresses dynamically and release them after 24hrs?

관련 콘텐츠