Menu
The client app requests a presigned URL for S3. Currently we limit the time the URL is valid but would like to also restrict it to the client's IP address.
Is it possible to create a S3 presigned URL that is restricted to a specific IP address?
From what I can tell only CloudFront will let me do this.
855
To secure our files on Amazon S3, we can restrict access to a S3 bucket to specific IP addresses. The following bucket policy grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.
Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.
There is an access check on the S3 side but that only checks whether the signer entity is allowed to get the file. You can remove that permission but that invalidates all signed URLs. Signed URLs provide secure a way to distribute private content without streaming them through the backend.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that contains the object that you want a presigned URL for. In the Objects list, select the object that you want to create a presigned URL for.
Yes!
First, it is worth explaining the concept of a Pre-Signed URL.
Objects in Amazon S3 are private by default. Therefore, if somebody tries to access it without providing credentials, access will be denied.
For example, this would not work for a private object:
https://my-bucket.s3.amazonaws.com/foo.json
To grant temporary access to the object, a Pre-signed URL can be generated. It looks similar to:
https://my-bucket.s3.amazonaws.com/x.json?AWSAccessKeyId=AKIAIVJQM12345CY3A3Q&Expires=1531965074&Signature=g7Jz%2B%2FYyqc%2FDeL1rzo7WM61RusM%3D
The URL says "I am *this* particular Access Key and I authorize temporary access until *this* time and here is my calculated signature to prove it is me".
When the Pre-Signed URL is used, it temporarily uses the permissions of the signing entity to gain access to the object. This means that I can generate a valid pre-signed URL for an object that I am permitted to access, but the pre-signed URL will not work if I am not normally permitted to access the object.
Therefore, to "create a S3 presigned URL that is restricted to a specific IP address", you should:
Here is a sample policy for the IAM User:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.22.33.44/32"
}
}
}
]
}
The result will be a pre-signed URL that works successfully to access the object, but is then rejected by S3 because the IP address restriction is not met. The user will receive an Access Denied message.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
