Is this possible to set different condition in the Policy on S3 bucket ?

Question

we have whitelisted some set of IP's and VPC on S3 bucket so that only whitelisted users can access those objects URL.

But we also want to serve same set of objects through Cloudfront as well.This Cloudfront URL will be used internally only.Can we add them as well ?
Any recommendations in the below policy which needs to be set ?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::toch-poc-2/*",
            "Condition": {
                "ForAnyValue:StringEqualsIfExists": {
                    "aws:SourceVpc": "vpc-01da38acfdde46edd"
                }
            }
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::toch-poc-2/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "43.204.223.244/32",
                        "34.126.80.246/32",
                        "34.142.191.139/32",
                        "34.143.188.86/32",
                        "49.249.215.66/32",
                        "15.207.175.132/32",
                        "10.190.3.0/24"
                    ]
                }
            }
        }
    ]
}

Accepted Answer

Yes, this is possible by using CloudFront [Origin Access Control](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) and adding a statement to bucket policy to allow this. Then use a [WAF ACL](https://docs.aws.amazon.com/waf/latest/developerguide/waf-ip-set-managing.html) to allow only your CIDR addresses to access the distribution.

Answer

thanks.This worked

Is this possible to set different condition in the Policy on S3 bucket ?

관련 콘텐츠