如何将对静态s3网站的访问限制为VPN
我正在尝试保护对内部静态网站的访问.
I'm trying to secure access to an internal static website.
公司中的每个人都在使用VPN来访问我们的Amazon VPC,因此,如果您使用的是VPN,我想限制对该站点的访问.
Everyone in the company is using a VPN to access our Amazon VPC so I would like to limit access to that site if you're using the VPN.
因此,我在AWS上找到了文档来使用VPC终端节点似乎就是我要找的东西.
So I found out this documentation on AWS to use VPC endpoint which seems to be what I'm looking for.
所以我按照以下政策创建了一个VPC终结点.
So I created a VPC endoint with the folowing policy.
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
在我的S3存储桶上,我确认可以从常规Web和VPN都访问index.html.
On my S3 bucket, I verified that I could access index.html both from the regular Web and from the VPN.
然后,我添加了以下存储桶策略以将其限制为仅VPC端点.
Then I added the following bucket Policy to restrict to only the VPC Endpoint.
{
"Id": "Policy1435893687892",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1435893641285",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789:user/op"
]
}
},
{
"Sid": "Access-to-specific-VPCE-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::mybucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1234567"
}
},
"Principal": "*"
}
]
}
现在,常规Web的得分为403,但是当我落后于公司VPN时,我的得分也为403.
Now Regular Web gets a 403 but I also get a 403 when I'm behind the company VPN.
我想念什么吗?
@Michael-sqlbot是正确的.
@Michael - sqlbot is right.
您似乎正在做的事情是限制对S3存储桶的访问,在该存储中,您可以使用VPC终端将静态Web内容存储到来自特定AWS VPC的请求中.
It seems what you are doing is restrict access to the S3 bucket where you store that static web content to requests coming from a particular AWS VPC, using a VPC endpoint.
VPC端点在AWS服务之间建立关联,以允许来自INSIDE的请求.
VPC endpoints establish associations between AWS services, to allow requests coming from INSIDE the VPC.
使用VPC和S3 ACL配置无法获得所需的内容,但是可以通过ACL和某些VPN配置获得所需的内容.
You can't get what you want with VPC and S3 ACL configuration, but you can get it with ACL and some VPN configuration.
让我们假设连接到您公司的VPN并不意味着所有流量(包括VPN客户端和AWS S3之间的Internet流量)都将通过该VPN连接进行路由,因为这就是正常VPN配置的工作方式.如果不是这种情况,请省略以下步骤:
Let's assume connecting to your company's VPN doesn't mean that all the traffic, including Internet traffic between the VPN clients and AWS S3 will be routed through that VPN connection, because that's how sane VPN configuration usually works. If that's not the case, ommit the following step:
-
将到S3存储桶的静态路由添加到VPN服务器配置,因此每个客户端都尝试通过VPN到达存储桶,而不是尝试与其建立直接的Internet连接.例如,在OpenVPN上,编辑
server.conf,添加以下行:
Add a static route to your S3 bucket to your VPN server configuration, so every client tries to reach the bucket through the VPN instead of trying to establish a direct internet connection with it. For example, on OpenVPN, edit
server.conf, adding the following line:
push "route yourS3bucketPublicIP 255.255.255.255"
此后,您将看到客户端连接到VPN时,会在其路由表中添加一个额外的条目,该条目对应于告诉其通过VPN到达存储桶的静态路由.
After that you will see that when a client connects to the VPN it gets an extra entry added to its routing table, corresponding to the static route that tells it to reach the bucket trough the VPN.
- 使用S3存储桶ACL的"IpAddress"字段设置所需的配置.它应该看起来像这样:
- Use S3 bucket ACLs "IpAddress" field to set the configuration you want. It should look something like this:
.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
您使用IpAddress字段使用 CIDR标记和NotIpAddress字段以相同的方式限制IP或IP范围(您可以省略一个).在IpAddress上指定的IP(或IP范围)应该是网关接口的公用地址,该网关接口路由您公司的VPN Internet流量(当某人从您的VPN尝试连接到它.)
You use IpAddress field to allow an IP or range of IPs using CIDR notation, and NotIpAddress field the same way for restricting an IP or range of IPs (you can ommit that one). That IP (or range of IPs) specified on IpAddress should be the public address(es) of the gateway interface(s) that route(s) your company's VPN Internet traffic (the IP address(es) S3 sees when somebody from your VPN tries to connect to it).
更多信息:
http://www.bucketexplorer .com/documentation/amazon-s3--access-control-list-acl-overview.html
http://aws.amazon.com/articles/5050/
https://openvpn.net/index.php/open- source/documentation/howto.html