I am looking for a policy that rejects all access to ecr unless you are coming from a specific vpc endpoint. This is what I have below.
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImage",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-XXXXXXX"
}
}
}
]
}
I can list images on both my local computer and through my ec2 instance that is connected to the vpc endpoint.
Note the below bucket_policy works and rejects all access to list objects to the bucket unless on the vpc endpoint.
{
"Version": "2012-10-17",
"Id": "VPCe",
"Statement": [
{
"Sid": "VPCe",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::XXXXXX",
"arn:aws:s3:::XXXXXXX/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-XXXXXXXXXXX"
}
}
}
]
}
Try adding "Resource": "*" in your first statement
The second policy maybe does work, but it is important to understand why. An IAM rule does apply if and only if the rule does match a supported combination of all the attributes. For example: According to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-bucket the ListBucket
action requires a bucket resource ARN. The bucket ARN looks like this:
arn:${Partition}:s3:::${BucketName}
while an object ARN looks like that:
arn:${Partition}:s3:::${BucketName}/${ObjectName}
Both is described on the same page. Let you note that the object ARN has a mandatory slash '/'
character. You can try that if you remove "arn:aws:s3:::XXXXXXX/*"
from your bucket policy, it will still work, but if you try to remove "arn:aws:s3:::XXXXXX"
the policy will stop working.
In your condition you use aws:SourceVpce
, which is not documented for the S3 service (still the same link). This is because it has nothing to do with the S3 service. It is related to VPC Endpoints - as described here https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html . From that I assume the you did create a VPC endpoint for S3 in your VPC. This is why your S3 policy does work.
By default AWS API calls do use public endpoints unless something else is documented. A service VPC endpoint can create a DNS alias and because AWS API is based on https, everything works without any change.
ECR seems to support VPC endpoints https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
And the list of global conditions does mention the sourcevpce key https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce
ONLY Gateway Endpoints seems to support the sourcevpce
key and only S3 and DynamoDB are listed under services supporting Gateway Endpoints. https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html If a combination of a condition key and resource ARN is not supported I would expect the rule to be ignored.
You mention that the s3 policy is a bucket policy, but is the ECR a resource policy for every single ECR Repository you have?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.