-10

Do you know any bucket policy that would allow me to block access to S3 files from specific countries?

PanosJee
  • 3,866
  • 6
  • 36
  • 49

2 Answers2

0

Although you can block a specific IP range using an S3 bucket policy it is impossible to list all the IP ranges assigned from a specific country in this policy, as AWS imposes a 20KB limit on the size of the policy.

Bucket Policies are Limited to 20 Kilobytes in Size—If you have a large number of objects and users, your bucket policy could reach the 20K size limit.

(from http://docs.aws.amazon.com/AmazonS3/latest/dev/WhenToUseACLvsBucketPolicy.html)

A better solution to your problem would be to configure your S3 bucket to use signed requests (Query String Authentication) as described here:

http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

and have a separate web service that checks the client's IP using a geolocation service and only issues these signed requests to clients that match your criteria.

dcro
  • 13,294
  • 4
  • 66
  • 75
  • Thanks for the answer. Unfortunately I am looking at anonymous downloads and this what I want to prevent (not API access) – PanosJee Aug 04 '13 at 16:00
  • 2
    Another alternative solution would be to proxy all the S3 requests through your own server on EC2 and do a geolocation check before allowing users to access to content. – dcro Aug 07 '13 at 14:48
  • 1
    It seems this is the only solution. – PanosJee Aug 07 '13 at 15:33
0

Amazon CloudFront Adds Geo Restriction Feature. Take a look at http://aws.amazon.com/about-aws/whats-new/2013/12/18/amazon-cloudfront-adds-geo-restriction-feature/

Larry
  • 9
  • 1