2
votes

I am working on a demo website using AWS S3 and have restricted to certain number of IPs using a bucket policy (e.g).

{
"Id": "S3PolicyId1",
"Statement": [
    {
        "Sid": "IPDeny",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": "XX.XX.XX.XX/XX"
            }
        }
    }
]

}

This works nicely. Now I want to use CloudFront to serve the website over HTTPS on a custom domain. I have created the distribution and the bucket policy has been modified (to allow CloudFront access) but I keep getting an access denied error when I try to access the CloudFront URL.

Is it possible to still use the bucket policy IP access list using CloudFront? If so, how do I do it?

2

2 Answers

3
votes

You can remove the IP blacklisting/ whitelisting from S3 bucket policy and attach AWS WAF with the required access rules to the CloudFront distribution.

Note: Make sure when you make the S3 bucket private, to setup the Origin Access Identity User properly both in CloudFront and S3. Also if the bucket is in a different region than North Virginia, it can take some time for the DNS propagation.

3
votes

A lambda function that changes the Bucket policy based on changes in the published list of IPs Here

The function can be invoked by SNS topic monitoring the list of IP's. Here is the documentation on that.

Here is the SNS topic for it.

arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged