Network policies: Apply network policy to presigned URL

Attention

This behavior change is in the 2024_03 bundle.

For the current status of the bundle, refer to Bundle History.

Network policies behave as follows:

Before the change:

Presigned URLs generated by the GET_PRESIGNED_URL function do not contain a security token.

After the change:

Presigned URLs generated by the GET_PRESIGNED_URL function contain a security token.

If an account administrator enabled the ENFORCE_NETWORK_RULES_FOR_INTERNAL_STAGES parameter, causing active network policies that use network rules to restrict access to presigned URLs to internal stages, then only the following clients can access the restricted internal stages:

  • IP addresses in the ALLOWED_IP_LIST parameter, and not in the BLOCKED_IP_LIST parameter of an active network policy.

  • IP addresses and VPCE IDs in the VALUE_LIST parameter of a network rule. The network rule must be in the ALLOWED_NETWORK_RULE_LIST parameter but not in the BLOCKED_NETWORK_RULE_LIST parameter of an active network policy. The network rule can have one of the following combinations of parameters set:

    • The TYPE parameter set to IPV4, and the MODE parameter set to INGRESS.

    • The TYPE parameter set to AWSVPCEID, and the MODE parameter set to INTERNAL_STAGE.

Ref: 1558

Language: English