AWS S3: IAM Policy with Deny IP Block Denies All IPs
Question
I have an IAM policy bound to a user that includes a block like:
...
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"0.0.0.0/0"
]
}
}
}
...
If my understanding is correct, this should allow any IP -- this block should have no effect. However, when I try to do some S3 operations as a user that is bound to this policy, the actions yield Access Denied. When I remove this block from the IAM policy, the S3 operations are allowed.
What is wrong with this policy, or my understanding thereof?
I've tried a similar policy but with a real array of IPs I want to allow through, but same result -- so I figured this would be a better minimal example to clarify my understanding.
1 answers
solution1
0 ACCPTED 2022-12-12 17:25:40
When using the actual list of trusted IPs, it turns out that S3 was seeing the internal IPs of the source nodes, not their external IPs (which is what I was including in the list). Filtering based on the internal IPs or based on the VPC ID that contained all the nodes worked. This still doesn't explain why a filter using 0.0.0.0/0 as above blocked any traffic, but hopefully this helps in case anyone else runs into something like this.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.