https://docs.aws.amazon.com/ja_jp/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. S3 バケットを作成する
aws s3 ls
aws s3 mb s3://bucket123
-- 3. 静的ウェブサイトホスティングの有効化
{
"IndexDocument": {
"Suffix": "index.html"
},
"ErrorDocument": {
"Key": "index.html"
}
}
aws s3api put-bucket-website \
--bucket bucket123 \
--website-configuration file://a.json
aws s3api get-bucket-website \
--bucket bucket123
-- 4. パブリックアクセスブロック設定の編集
-- 4.1 アカウントレベル
aws s3control put-public-access-block \
--account-id 999999999999 \
--public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"
aws s3control get-public-access-block \
--account-id 999999999999
-- 4.2 バケットレベル
aws s3api put-public-access-block \
--bucket bucket123 \
--public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"
aws s3api get-public-access-block \
--bucket bucket123
-- 5. バケットポリシーの設定
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket123/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "0.0.0.0/0"
}
}
}
]
}
aws s3api put-bucket-policy \
--bucket bucket123 \
--policy file://b.json
aws s3api get-bucket-policy \
--bucket bucket123
-- 6. インデックスドキュメントの設定
vim index.html
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>My Website Home Page</title>
</head>
<body>
<h1>Welcome to my website</h1>
<p>Now hosted on Amazon S3!</p>
</body>
</html>
aws s3api put-object --bucket bucket123 --key index.html --body index.html --content-type text/html
-- 7. ディストリビューションの作成
aws cloudfront create-distribution \
--origin-domain-name bucket123.s3.ap-northeast-1.amazonaws.com \
--default-root-object index.html
aws cloudfront list-distributions
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
-- 8. 動作確認(地域制限追加前)
curl -v -X GET http://xxxxxxxxxxxxxx.cloudfront.net/index.html
-- 9. 地域制限追加
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json
Restrictionsを下記のように修正
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "blacklist",
"Quantity": 1,
"Items": ["JP"]
}
},
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match BBBBBBBBBBBBB \
--distribution-config file://distribution.json
-- 10. 動作確認(地域制限追加後)
curl -v -X GET http://xxxxxxxxxxxxxx.cloudfront.net/index.html
→ The Amazon CloudFront distribution is configured to block access from your country.
We can't connect to the server for this app or website at this time.
There might be too much traffic or a configuration error.
Try again later, or contact the app or website owner.
-- 11. クリーンアップ
-- ディストリビューションの無効化
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
※ distribution.jsonはget-distribution-configコマンドのDistributionConfigから取得し、Enabledをfalseに変更する
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json
sed -i 's/"Enabled": true/"Enabled": false/' distribution.json
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match CCCCCCCCCCCCCC \
--distribution-config file://distribution.json
※ if-matchにはETagの値をセット
無効化されるまで待つ
-- ディストリビューションの削除
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront delete-distribution \
--id AAAAAAAAAAAAAA \
--if-match DDDDDDDDDDDDDD
aws cloudfront list-distributions
aws s3 rb s3://bucket123 --force
-- アカウントレベルのパブリックアクセスブロックの有効化
aws s3control put-public-access-block \
--account-id 999999999999 \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
aws s3control get-public-access-block \
--account-id 999999999999
