49

I want to restrict bucket access to certain IPs. I know how to create a bucket policy from Restricting Access to Specific IP Addresses.

My question: Can this work with CloudFront? How? Can I allow only certain IPs to access CloudFront?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Moshe Shaham
  • 15,448
  • 22
  • 74
  • 114
  • 5
    to my future self: WAF is super expensive. lambda@edge is probably the better option for most usecases. list of ips/rules can be stored in s3 to allow for dynamic updates. – Cory Mawhorter Aug 13 '19 at 23:33
  • Lambda@edge is $0.60/million invocations. WAF is about $0.60/million requests. So they are actually about the same price. I believe WAF price was recently reduced. – cementblocks Sep 05 '19 at 19:35

3 Answers3

59

Web Application Firewall is your friend.

http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html

Create your rule with your IP Addresses and rest "WAF" will take care.

You need to apply this to the required CloudFront Distribution.

You can restrict your bucket policies to CloudFront and restrict to your required IP's through CloudFront.

Kannaiyan
  • 12,554
  • 3
  • 44
  • 83
28

I have created the custom rule to whitelist IPs and restrict the application with CloudFront distribution with following steps.

Steps:

  1. Go to AWS WAF.

  2. Create following IP match conditions under IP Addresses.

    1. staging-appname-whitelist-ips

  3. Create following rules under Rules.

    1. staging-appname-ui-stack-whitelisted-ips
      • with condition (similar for production one) enter image description here
  4. Finally create following Web ACLs:
    1. staging-appname-acl
      • Please select the correct CloudFront Distribution, above created Rule and IP Address group. *. enter image description here

AWS Resource here.

Hope it helps!

Community
  • 1
  • 1
rc.adhikari
  • 1,974
  • 1
  • 21
  • 24
-1

use cloudfront lambda or function to judge X-Forwarded-For Header

chestar
  • 1
  • 2