S3 Bucket access policy: Deny on IP range and VPC Endpoint not working
Question
I have a bucket in AWS S3. I want to allow the following access to it:
- From my EC2 instances in same account.
- From a fix set of IP addresses (from my corp network).
I have tried following:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Allow from VPCE",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1234"
}
}
},
{
"Sid": "Allow from IP",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"X.X.X.X/32",
]
}
}
},
{
"Sid": "Deny from NOT-IP",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"X.X.X.X/32",
]
}
}
},
{
"Sid": "Deny from VPCE",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1234"
}
}
}
]
}
My intent is to allow access from IP or VPCE and deny access from any other IP/VPCE. My public access settings blocks ALL at the account level. (Everything is blocked). This policy is not working when I try to get the object from a browser running on machine with public-ip XXXX
My Questions:
- How to have a logical OR in the conditions? (VPCE OR IP)
IAM role (on EC2 machine) has the permissions to the bucket.
1 answers
solution1
1 ACCPTED 2020-08-27 00:19:23
The first two policies are permitting access via VPCE OR IP address range.
The first Deny is denying access to anybody not on the given IP address range. This also denies access via the VPCE if they are not coming from those IP address ranges.
The second Deny is denying access to anybody not coming from the VPCE. This also denies access to requests from the correct IP ranges if they aren't coming via the VPCE.
You can probably fix it by combining the two Deny policies together with both conditions in the same policy . This will make them act like an AND condition.
As an aside, I normally recommend against using Deny policies unless they are totally unavoidable. They can lead to many unexpected situations.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.