0

For instance, if I store data in US Standard, the S3 Pricing Page indicates that it is $0.00 per GB transferred out to Amazon EC2 in the Northern Virginia Region.

And it looks like GET requests are $0.004 per 10,000 requests.

So, it looks to me like if I set up my US Standard Region S3 rules correctly, and my clients set up their EC2 instances correctly in the Northern Virginia Region, it would cost me $0.004 TOTAL for 10,000 GET requests.

(On top of my S3 storage costs.)

If my clients want to move the data out of EC2, that cost is theirs, the billing is their problem, etc.

So, what combination of S3 Bucket Policies and IAM policies, or even legacy S3 ACLs would make this possible on my end?

Matt Cruikshank
  • 101
  • 2

1 Answers1

1

Correct.

Take the published list of IP netblocks for us-east-1 (home of the US-Standard region in S3)...

https://forums.aws.amazon.com/ann.jspa?annID=1701

...and use it to craft a bucket policy to deny request when the source IP is not in range, or allow only when the source IP is in range (the best choice will depend on your other policies, since a deny will always, always, always override a conflicting allow)...

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

...and you should have what you need.

Alternatively, there's a concept of a "requester pays" bucket, where the burden of charges is left to the requester.

http://docs.aws.amazon.com/AmazonS3/latest/dev/RequesterPaysBuckets.html

This would mean your clients would have to do their own authentication against their own AWS credentials (which you would allow to access your bucket, either individually or globally, depending on your security model).

Or, depending on the content in question, you could require the client to create a bucket in US-Standard (verify with a /?location query to the bucket; no constraint means US-Standard) and you could push the content out to them, all at their expense.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86