Skip to content

Instantly share code, notes, and snippets.

@pszabop

pszabop/cloudflare_s3_whitelist.md

Last active September 15, 2017 01:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pszabop/9e8e28e8f3a05b01441476ce77d2a948 to your computer and use it in GitHub Desktop.
Save pszabop/9e8e28e8f3a05b01441476ce77d2a948 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cloudflare_s3_whitelist.md

Cloudflare S3 bucket permissions

The logic is convoluted for S3 bucket ACLs. You have to use double negative logic...

Copy and paste this example, keeping cloudflare IP addresses as you need. The following website is helpful: cloudflare IP addresses

{
    "Version": "2008-10-17",
    "Id": "S3PolicyIdBucketCloudFlareIpAddressWhitelist",
    "Statement": [
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "103.21.244.0/22",
                        "103.22.200.0/22",
                        "103.31.4.0/22",
                        "104.16.0.0/12",
                        "108.162.192.0/18",
                        "131.0.72.0/22",
                        "141.101.64.0/18",
                        "162.158.0.0/15",
                        "172.64.0.0/13",
                        "173.245.48.0/20",
                        "188.114.96.0/20",
                        "190.93.240.0/20",
                        "197.234.240.0/22",
                        "198.41.128.0/17"
                    ]
                }
            }
        },
        {
            "Sid": "PublicReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment