I created an AWS s3 bucket for my domain. My domain uses CloudFlare. So I add my bucket's address as cname on CloudFlare's DNS panel. It works. But I don't want users direct access to my bucket with its URL, it should be only accessible via my domain(with CloudFlare proxy) I think I should deny access by default and whitelist CloudFlare's IP ranges. I got those IP ranges. How can I restrict access to all IP addresses by default and only allow specific IP ranges?
2
votes
1 Answers
1
votes
You have to do this via the S3 bucket policy. This is under the "permissions" tab in your bucket. I've included my bucket policy below.
This bucket policy is updated for Cloudflare's most recent IP addresses (including IPv6) and it also denies all access not from a Cloudflare IP address out of the box.
{
"Id": "Policy1517260196123",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "A string ID here",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::yourbucket.example.com/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"103.21.244.0/22",
"103.22.200.0/22",
"103.31.4.0/22",
"104.16.0.0/12",
"108.162.192.0/18",
"131.0.72.0/22",
"141.101.64.0/18",
"162.158.0.0/15",
"172.64.0.0/13",
"173.245.48.0/20",
"188.114.96.0/20",
"190.93.240.0/20",
"197.234.240.0/22",
"198.41.128.0/17",
"2400:cb00::/32",
"2405:8100::/32",
"2405:b500::/32",
"2606:4700::/32",
"2803:f800::/32",
"2c0f:f248::/32",
"2a06:98c0::/29"
]
}
},
"Principal": {
"AWS": "*"
}
}
]
}
