I currently have a S3 bucket policy that ONLY allows GET access if the user agent matches "ALLOW_USER_AGENT"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
}
}
I want to modify this policy so that it allows GET access if the user agent matches "ALLOW_USER_AGENT" OR if the origin IP is 11.11.11.11
Here is my first crack at this policy. Is this the right policy? I want to allow GET access if 1 of these 2 statements are true (not both)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
},
{
"Sid": "SourceIP",
"Action": "s3:GetObject",
"Effect": "Deny",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
]
},
"Principal": {
"AWS": "*"
}
}
]
}
According to your requeriments the Allow/Deny rules should be:
C1 (condition 1): aws:UserAgent = ALLOW_USER_AGENT
C2 (condition 2): aws:SourceIp = 11.11.11.11/32
The corresponding bucket policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-if-both-conditions-are-true",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
},
"IpAddress": {
"aws:SourceIp": "11.11.11.11/32"
}
}
},
{
"Sid": "deny-if-neither-conditions-are-met",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.11.11.11/32"
},
"ForAnyValue:StringNotEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
}
}
}
]
}
I have tested this policy and works as expected. Additionally, I have updated the operator "ForAllValues" by "ForAnyValue".
Use the curl command with "-A" option to set any User Agent.
Reference:
Creating a condition with multiple keys or values
Related
I have restricted the read access on my entire bucket to specific IPs, e.g. 1.1.1.0 & 2.2.2.0 as per the bucket policy given below.
There's a file in it, s3://MYBUCKET/onefile.txt, to which I want to give another set of IPs read access, e.g. to 3.3.3.0 and 4.4.4.0. So that now onefile.txt can only be accessed by 3.3.3.0 and 4.4.4.0 but NOT by 1.1.1.0 & 2.2.2.0 or any other.
How can I accomplish that?
Current Permissions > Bucket Policy (e.g.)
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
Add explicit deny and allow statements for that file onefile.txt in addition to the existing statement in the Policy.
The updated bucket policy would look like,
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"3.3.3.0/20",
"4.4.4.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_2",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
I'm unable to access AWS ES cluster that has the following access policy, My IP is one of the IP listed, please advise if you there is something missing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*"
}
]
}
I did some more digging, I believe this is what you are looking for:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
}
]
}
There is some more detail here in my repo wiki page
How to create AWS policy giving access to some IPs addresses OR Lambda for Elasticsearch service.
So, that have access to ES from IPs and that Lambda have access to.
This no working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx",
"xxx"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:eu-central-1:xxx:function:xxx"
}
}
}
]
}
Thanks for help.
I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!
You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}
I'm trying to create a policy for only read/put/list my bucket and a dir into it.
I've write this policy:
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:Put*", "s3:Get*" ],
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*"
}
]
}
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Condition": { "StringLike": { "s3:prefix": "<mydirectoryinbucket>/*"} },
"Resource": "arn:aws:s3:::<mybucket>"
}
]
}
But I get error on the last line of the first policy...the error is only syntax error, and no additional informations.
Where I did wrong ?
You're at the very least missing the principal, which defines the entity that is allowed or denied access to a resource.
I took your policy, added the wildcard * to denote 'any' principal, and regenerated it with the IAM Policy Generator. Try this:
{
"Id": "Policy1432045314996",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicGetAndPutPolicy",
"Action": [
"s3:Get*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*",
"Principal": "*"
},
{
"Sid": "PublicListPolicy",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>",
"Condition": {
"StringLike": {
"s3:prefix": "<mydirectoryinbucket>/*"
}
},
"Principal": "*"
}
]
}
Documentation:
Specifying a Principal in a Policy