其の1
Resource へのバケットへのアクセスは、NotIpAddress のアドレスを除く IpAddress に含まれる範囲からのアクセスを許可する。
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "202.232.30.222/32"
},
"IpAddress": {
"aws:SourceIp": "202.232.30.201/24"
}
}
}
]
}
其の2
stringLike 条件を aws:Referer 条件キーで指定してアクセスを制御する。
Allowだけでいいが、セキュリティを強化するためにDenyも追加する。
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "Allow get requests referred by www.naata.tk and naata.tk.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.naata.tk/*",
"http://naata.tk/*"
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://www.naata.tk/*",
"http://naata.tk/*"
]
}
}
}
]
}
其の3
MFA認証をしていない場合は、拒否する。
{
"Version": "2012-10-17",
"Id": "MultiFactorAuthAge",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
}
]
}
其の4
MFA を使用して認証しない場合にこのアクションを明示的に拒否し、MFA を使用して認証する場合にこのアクションを明示的に許可します。
{
"Version": "2012-10-17",
"Id": "MultiFactorAuthPresent",
"Statement": [
{
"Sid": "Deny",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::************:user/leomaro7"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "Allow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::************:user/leomaro7"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::naata-aws",
"arn:aws:s3:::naata-aws/*"
]
}
]
}
其の5
x-amz-server-side-encryption ヘッダーがリクエストに含まれない限り、オブジェクトをアップロードする許可を拒否する。
{
"Version": "2012-10-17",
"Id": "x-amz-server-side-encryption",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::naata-aws/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
其の6
Bool 条件で aws:MultiFactorAuthPresent でMFA認証された場合のみput/deleteできるようにする。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"accountid"
]
},
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::naata-aws/*"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}