AWS 限制S3 bucket掛載到特定機器

限制AWS S3 bucket只能掛載到特定機器的方式如下。

事前要求

參考「AWS EC2 Amazon Linux 2023 mount S3 bucket」瞭解如何掛載bucket到Linux主機。

限制設定

透過在S3 bucket設定bucket policy來限制特定IP才能存取來實現，即指定機器的IP以外的IP皆拒絕存取，如此便只有該機器可以掛載此bucket。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": {
                "AWS": "<USER_ARN>"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "<S3_ARN>",
                "<S3_ARN>/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "<MACHINE_IP>"
                }
            }
        }
    ]
}

• AWS: Denies access to AWS based on the source IP
• Bucket policy examples - Managing access based on specific IP addresses