S3 public Url accessible only from instance inside VPC - amazon-web-services

I'm trying to restrict access for my S3 bucket objects to be accessible using the public URL only from instances inside a VPC. Trying to achieve it using Bucket Policy by specifying VPC id. Check the bucket policy below.
"Version": "2012-10-17",
"Id": "Policy1596618884802",
"Statement": [
{
"Sid": "Stmt1596618880986",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::<--bucket-name-->",
"arn:aws:s3:::<--bucket-name-->/*"
],
"Condition": {
"StringEquals": {
"aws:SourceVpc": "<--vpd-id-->"
}
}
}
]
}
But even after this policy the objects are not accessible from the URL but are accessible using s3 api inside the VPC.

Related

Limit public access of bucket to vpc endpoint

So I want my S3 bucket to be publicly accessible but only if the request is sent through the VPC endpoint. I allowed public access on both my bucket level and account level and also added the following statements to my bucket policy:
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"${media_storage_bucket_arn}",
"${media_storage_bucket_arn}/*"
]
},
{
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::${current_account}:root"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"${media_storage_bucket_arn}",
"${media_storage_bucket_arn}/*"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "${vpc_endpoint}"
}
}
}
I have an EC2 server in a private subnet that needs to read images from an S3 bucket using a curl command and the object URL, so far, the easiest way to accomplish this would be to lift all the public access blocks, but this compromises the safety of the files in the bucket, so that is why I implemented the vpc endpoint statement to restrict access if the request is not sent through the endpoint, This works fine, but it still allows me to read any object in the bucket through its URL even if the request is not sent through the vpc endpoint. I'm sure there has to be an easier/better approach.

Having trouble creating a policy in AWS

I have been tasked with an assignment to create what I believe is a bucket policy in AWS. I have uploaded a video to an S3 bucket, and I have to create a policy to limit who can view it based on their IP address. Currently I need to make it so only somebody at my home network can watch it.
I am also supposed to restrict who can watch it based on their username. The bucket is publicly viewable right now and so is the video file.
I have two policies below that I have tried and neither of them are working.
First Policy: I have tried using both my private and public IP addresses.
{
"Version": "2012-10-17",
"Id": "Policy1607205862213",
"Statement": [
{
"Sid": "Stmt1607205861134",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::internshipbucket12",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.1.10.1"
}
}
}
]
}
Second Policy: Whenever I try using the arn of my bucket, it gives an error of some kind. When I put in the arn of the video file I am using, it accepts it just fine.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET;",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "54.240.143.0/24"
}
}
}
]
}
Amazon S3 buckets are private by default. Therefore, there is no need to 'Deny' access, since it is already denied by default. Instead, you should use an 'Allow' policy to permit access.
Turn off Block S3 Public Access (or at least the two parts that refer to Bucket Policies)
Add a policy that permits access to objects from a given IP address:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::internshipbucket12/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.240.143.0"
}
}
}
]
}
Note that this is granting access to a public IP address, and is only permitting GetObject, so the user will need to know the exact filename (Key) of the object they want (since it does not grant permission to list the contents of the bucket).

How can I add IP restrictions to s3 bucket(in the bucket Policy) already having a User restriction

I have a few s3 buckets, for which I have given access to only a specific IAM user. I did it by setting the following bucket policies :
Effect : "Deny"
NotPrincipal : { "AWS " : "<My_IAM_User>" }
I'm able to access the buckets only from the IAM user, so the policy works as expected, but I also want to restrict the bucket access to only a specific IP. This IP is the ec2 IP address my server is running on. The policy values I've used is as :
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"<My_EC2_Server_IP_Address>"
]
}
}
I was expecting the above policy would allow only my EC2 server to access the s3 bucket objects, but if I'm making a call from any other IP ( eg : running the server on my local machine and trying to access the buckets. ) it's still responds with valid objects from the bucket.
The above policy does NOT seem to block any request to access the bucket is made from other random IP addresses.
My entire bucket policy looks like :
{
"Version": "<Version_value>",
"Statement": [
{
"Sid": "<Sid_value>",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "<My_IAM_User>"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "<My_EC2_Server_IP_Address>"
}
}
}
]
}
My References :
1. https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
2. https://medium.com/#devopslearning/100-days-of-devops-day-11-restricting-s3-bucket-access-to-specific-ip-addresses-a46c659b30e2
If your intention is to deny all AWS credentials except a given IAM user and to deny all IP addresses other than a given IP, then I would write that policy as two, independent deny statements.
Something like this:
{
"Version": "<Version_value>",
"Statement": [
{
"Sid": "deny1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "<My_IAM_User>"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*"
},
{
"Sid": "deny2",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "<My_EC2_Server_IP_Address>"
}
}
}
]
}
Be careful with the IP address condition. Unless you are using an Elastic IP, your EC2 instance's IP can change e.g. if you stop then restart the instance.
Also note: you should not be using IAM User credentials on an EC2 instance. Instead, you should be using IAM Roles.

Access S3 bucket from VPC

I'm running a NodeJS script and using the aws-sdk package to write files to an S3 bucket. This works fine when I run the script locally, but not from a ECS Fargate service, that's when I get Error: AccessDenied: Access Denied.
The service has the allowed VPC vpc-05dd973c0e64f7dbc. I've tried adding an Internet Gateway to this VPC, and also an endpoint (as seen in the attached image) - but nothing resolves the Access Denied error. Any ideas what I'm missing here?
SOLVED: the problem was me misunderstanding aws:sourceVpce. It requires the VPC endpoint id and not the VPC id. **
Endpoint
Internet Gateway
Bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3MKW5OAU5CHLI"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mywebsite.com/*"
},
{
"Sid": "Stmt1582486025157",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::mywebsite.com/*",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpc-05dd973c0e64f7dbc"
}
}
}
]
}
Please add an bucket policy that allows access from the VPC endpoint.
Update your bucket policy with a condition, that allows users to access the S3 bucket when the request is from the VPC endpoint that you created. To white list those users to download objects, you can use a bucket policy that's similar to the following:
Note: For the value of aws:sourceVpce, enter the VPC endpoint ID of the endpoint that you created.
{
"Version": "2012-10-17",
"Id": "Policy1314555909999",
"Statement": [
{
"Sid": "<<Access-to-specific-VPConly>>",
"Principal": "*",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::awsexamplebucket/*"],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1c2g3t4e"
}
}
}
]
}

Amazon S3 objects: is it possible to restrict public read policy to some IP adresses only ?

A have a bucket with a public read policy. Now I want to restrict access to some of the objects in order to be accessible only from some IP adresses. Is this possible?
I also plan to add CloudFront. What should I do to keep the same settings on each object?
Thanks!
You can use S3 bucket policy. But instead of individual files it will be applied to individual folders in the bucket. You can use policy like the following:
{
"Version": "2008-10-17",
"Id": "testPolicy",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/subfolder/subfolder2/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx.xxx.xxx.xxx/xx",
"xxx.xxx.xxx.xxx/xx"
]
}
}
}
]
}
User your bucket name and folder names, and IPs.
Note: Please try it first on a non production bucket.