バケット内のすべてのオブジェクトの「取得」を許可するには

Fire bucketsFire buckets / ross_hawkes

 

Condition > IpAddress > aws:SourceIpに、すべての接続元を示す0.0.0.0/0を指定します。
(Resourceはご自身の管理するバケット名を指示するArnに要変更)

{
	"Version": "2008-10-17",
	"Id": "S3BucketPolicy",
	"Statement": [
		{
			"Sid": "AllowToGetByIP",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "s3:GetObject*",
			"Resource": "arn:aws:s3:::your.backet.name/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": "0.0.0.0/0"
				}
			}
		}
	]
}

Condition > IpAddress > aws:SourceIpに、0.0.0.0/0以外のCIDRを指定すれば、超絶簡単IPアドレス制約。

{
	"Version": "2008-10-17",
	"Id": "S3BucketPolicy",
	"Statement": [
		{
			"Sid": "AllowToGetByIP",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "s3:GetObject*",
			"Resource": "arn:aws:s3:::your.backet.name/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": "192.168.0.0/16"
				}
			}
		}
	]
}

リファラで制約を与えるには、

{
	"Version": "2008-10-17",
	"Id": "S3BucketPolicy",
	"Statement": [
		{
			"Sid": "AllowToGetByReferer",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::your.backet.name/*",
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://yourdomain.com/css/*",
						"http://yourdomain.com/*"
					]
				}
			}
		}
	]
}

こんな感じ。簡単。