Cloudflare ip whitelist S3 Bucket policy gives 403

Iam hosting static site on aws s3 to access site through my domain only i set bucket policy described in here
https://support.cloudflare.com/hc/en-us/articles/360037983412-Configuring-an-Amazon-Web-Services-static-site-to-use-Cloudflare

this is my policy
{
“Version”: “2012-10-17”,
“Id”: “S3PolicyId1”,
“Statement”: [
{
“Sid”: “IPAllow”,
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:GetObject”,
“Resource”: "arn:aws:s3:::example.com/
”,
“Condition”: {
“IpAddress”: {
“aws:SourceIp”: [
“2400:cb00::/32”,
“2405:8100::/32”,
“2405:b500::/32”,
“2606:4700::/32”,
“2803:f800::/32”,
“2c0f:f248::/32”,
“2a06:98c0::/29”,
“103.21.244.0/22”,
“103.22.200.0/22”,
“103.31.4.0/22”,
“104.16.0.0/12”,
“108.162.192.0/18”,
“131.0.72.0/22”,
“141.101.64.0/18”,
“162.158.0.0/15”,
“172.64.0.0/13”,
“173.245.48.0/20”,
“188.114.96.0/20”,
“190.93.240.0/20”,
“197.234.240.0/22”,
“198.41.128.0/17”
]
}
}
}
]
}

But s3 gives 403 error

Can you make an asterix * symbol at the end to me like arn:aws:s3:::example.com/* - all files under that location/directory/(sub)domain.

arn:aws:s3:::bucket-name-here/* → * (star symbol)

And maybe the Principa should have * too (or I am wrong due to this one)?

"Principal": {
  "AWS": "*"
}

Just to note, be careful with the IP address or range in condition. Unless you are using an Elastic IP, your EC2 instance’s IP can change e.g. if you stop then restart the instance as far as I believe?

And, as I believe, there is a case if for example, your sub-domain at Cloudflare is :orange: or :grey:, I am not sure if the S3 has the “true visitor IP address”, or it always get’s the Cloudflare’s IP address in a request/response to fetch/get an object?

That way, if it gets the Cloudflare IP address - fine, but if it gets an user/visitor IP address, and you did not allow it by the policy, it should then return the stated “403 error” as forbidden to server the object to the vistitor/user who is requesting it.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.