Currently I am using the Javascript AWS-SDK to generate signed download url's for objects in a S3 Bucket, How ever I would also like to restrict the signed url by ip address. Is this possible? I.E If a user gets a signedUrl for a specific file they should only be able to use that link if they are on a specific IP. I am not using cloudfront.
Asked
Active
Viewed 311 times
0
-
1CloudFront supports this natively, but S3 does not. I *think* it's possible to do this with S3 if you bring Security Token Service into the mix, obtaining a set of temporary credentials and then using those to sign the request, instead of using your key directly. A security token can have embedded IAM policy constraints, which should include support for a source IP restriction. Sounds complicated but it probably is not as bad as it sounds. I'll test it. – Michael - sqlbot Nov 04 '16 at 02:07
-
Of course, the simple solution is to connect a CloudFront distribution to the bucket, and use CloudFront signed URLs to authorize these requests. – Michael - sqlbot Nov 04 '16 at 02:09
-
So the one tool I am not using, but mentioned, is the tool that would make it simple to implement. Sounds good. Thanks. I will look into it. – Jeremiah Gibson Nov 04 '16 at 16:45