2

say I have a condition like where I want that if the request is not from these ips ["192.0.2.0/24","203.0.113.0/24"] and if the request doesn't have a referrer among the following [example1.com, example2.com ] then deny it. I know individually I can do something like this:

{
    "Sid": "6",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my_bucket/*",
    "Condition": {    
        "IpAddress":{
            "aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]
        }           
    }
}

{
    "Sid": "7",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::indeev5-dev-media/*/video/*",
    "Condition": {
        "StringNotLike": {
            "aws:Referer": [
                "http://example1.com/*",
                "http://example2.com/*",
            ]
        }
    }
}

but how can I do an "and" here.I.e check for both conditions at the same time. I had posted a question which kinda had the same end objective so any pointers would be highly appreciated here. In short what I want to do is deny all requests which are not from the referrer list except the ones which are from the ip list. Thanks

Community
  • 1
  • 1
Aameer
  • 1,366
  • 1
  • 11
  • 30
  • Are you intentionally using a different source in the first and second statement? That makes it difficult to answer. – tedder42 Nov 19 '15 at 12:10

1 Answers1

1

It appears that your logic requirement is:

  • Allow any request where IP is in ["192.0.2.0/24","203.0.113.0/24"]
  • Allow any request where referrer is in ["http://example1.com/*", "http://example2.com/*"]

So, you could configure it as an OR rather than an AND NOT, and by only using ALLOW rather than DENY. This has the benefit of allowing User policies to work (which may be overridden by use of DENY).

The policy would be in two parts:

  • ALLOW "Condition": {"IpAddress":{"aws:SourceIp": ["192.0.2.0/24","203.0.113.0/24"]}}
  • ALLOW "Condition": {"StringLike": {"aws:Referer": ["http://example1.com/*","http://example2.com/*",]}}

(I have not tested this.)

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks a lot for your time @john.I have a question ,so what would happen if say a request from different ip (not in our list ) with on of the allowed referrer is comes , in your case it would allow that but it shouldn't as my first part is Allow and second part is Deny. Moreover string not like allow is when I want to block certain domains not when i want to allow few – Aameer Nov 19 '15 at 11:29
  • Your question is confusing... Are you supplying a list of ALLOWED referrers or DENIED referrers? Your question says "and if the request has referrer among the following [example1.com, example2.com ] then deny it". – John Rotenstein Nov 19 '15 at 11:31
  • sorry I will fix it you are right,updated the question, I am supplying the ALLOWED referrers – Aameer Nov 19 '15 at 11:32
  • This won't work as [S3 buckets are wide open to all IP addresses by default](https://pete.wtf/2012/05/01/how-to-setup-aws-s3-access-from-specific-ips/). Adding a statement that ALLOWs access to IPs has no effect; only statements that DENY access do. In fact the [example](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3) in the AWS documentation is dangerously wrong. The answer above will only restrict the referer, but will leave the bucket open to all IP addresses. – Dan Tenenbaum Jan 15 '18 at 02:10
  • @Dan -- That is partially correct. Yes, if an ALLOW statement does not specify an IP address, then it applies to all IP addresses. However, if an ALLOW statement specifies a SourceIp condition, then then access is only granted if accessed from the listed IP addresses. I did exactly that now and can confirm that an ALLOW with an IP address is sufficient to grant access. Just ensure that all ALLOW statements include the condition. – John Rotenstein Jan 15 '18 at 02:55