I have some app configuration stored in a file in an S3 bucket (api keys). I have the S3 bucket configured to only allow access via a specific VPC endpoint, which ties the keys to specific environments, and prevents eg production keys being accidentally used in a staging or test environment.
However occasionally I need to amend these keys, and it's a pain. Currently the bucket policy prevents console access, so I have to remove the bucket policy, update the file, then replace the policy.
How can I allow access from the console, a specific VPC endpoint, and no where else?
Current policy, where I've tried and failed already:
{
"Version": "2012-10-17",
"Id": "Policy12345",
"Statement": [
{
"Sid": "Principal-Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-keys-staging",
"arn:aws:s3:::my-keys-staging/*"
]
},
{
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-keys-staging",
"arn:aws:s3:::my-keys-staging/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-vpceid"
}
}
}
]
}
As mentioned in the comments, having an explicit Deny
cannot be overridden. By including the Deny
tied to a particular VPC, you cannot add any other Allow
elements to counteract that Deny
statement.
Option 1
One option is to change your "deny if not from VPC abc" statement to "allow if from VPC abc". This would allow you to add additional Allow
statements to your policy to allow you to access the bucket from elsewhere.
However, there are 2 very important caveats that goes along with doing that:
So by changing Deny
to Allow
, you will no longer have a VPC-restriction at the bucket level.
This may or may not be within your organization's security requirements.
Option 2
Instead, you can amend your existing Deny
to add additional conditions which will work in an AND situation:
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-vpceid",
"aws:username": "your-username"
}
}
This type of condition will deny the request if:
So you should be able to maintain the restriction of limiting requests to your VPC with the exception that your user sign-in would be allowed access to the bucket from anywhere .
Note the security hole you are opening up by doing this. You should ensure you restrict the username to one that (a) does not have any access keys assigned, and (b) has MFA enabled.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.