設定
- 特定のIAMユーザが更新可能
- あるアクセス元IPアドレスからは閲覧可能
- その他はアクセス拒否
{
"Version": "2012-10-17",
"Id": "Policy[XXX]",
"Statement": [
{
"Sid": "Stmt[XXX]",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::[XXX]"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::[XXX]/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"XXX",
"XXX"
]
}
}
},
{
"Sid": "Stmt[XXX]",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[XXX]/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"XXX",
"XXX"
]
}
}
},
{
"Sid": "AllowBucketAndObjectsAccessFromDeploy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[XXX]"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::[XXX]/*"
}
]
}
参考