S3 버킷 권한 설정
버킷 정책
{
"Version": "2012-10-17",
"Id": "Policy1587704165650",
"Statement": [
{
##### Blacklist 정책 생성 #####
"Sid": "Blacklist",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::xxx.io",
"Condition": {
"IpAddress": {
"aws:sourceIP": [
"185.220.100.0/24",
"185.191.0.0/16",
"185.92.0.0/16"
#### 이쪽에 추가하고 싶은 IP/대역 별 추가 하면 차단 가능함 ####
]
}
}
},
{
##### Bucket 권한 정책 #####
"Sid": "Stmt1587704160250",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountID:user/xxx-s3-user",
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EPURWMJ45ZU2U"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxx.io/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountID:user/was-s3-user",
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EPURWMJ45ZU2U"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::xxx.io/xx/app_icon/*",
"arn:aws:s3:::xxx.io/xx/firebase_json/*",
"arn:aws:s3:::xxx.io/xx/push_noti/*",
"arn:aws:s3:::xxx.io/dist/*",
"arn:aws:s3:::xxx.io/auto/*",
"arn:aws:s3:::xxx.io/xx/upload_file/default/excel/sms/*",
"arn:aws:s3:::xxx.io/xx/upload_file/default/csv/sms/*"
]
}
]
}
S3 IP 주소 확인 방법
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="ap-northeast-2") | select(.service=="S3") | .ip_prefix'