I'm unable to access AWS ES cluster that has the following access policy, My IP is one of the IP listed, please advise if you there is something missing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*"
}
]
}
I did some more digging, I believe this is what you are looking for:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
}
]
}
There is some more detail here in my repo wiki page
Related
I tried to implement the AWS Permission Boundary to user1 who has full permission on IAM actions. Then user1 created a another user (user2). The user2 is apple to do any actions without any restriction. As I understood, the user2 should not have more permission than user1. Anyone had same issue? anyone got any sample Permission Boundary policy?
Had a kind of same issue with AWS Permission Boundary and issue was with the the policy didn't deny some permission. Eg: DeleteUserPermissionsBoundary, DeleteRolePermissionsBoundary
You can find the full video explanation here: https://youtu.be/ExjW3HCFG1U?t=3402
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMAccess",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "DenyCreatingUserWithoutPermisionBoundary",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
"arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
}
}
},
{
"Sid": "DenyDeletingPolicy",
"Effect": "Deny",
"Action": [
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
]
},
{
"Sid": "DenyDeletingPermBoundaryFromAnyUserOrRole",
"Effect": "Deny",
"Action": [
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteRolePermissionsBoundary"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
"arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
}
}
},
{
"Sid": "DenyUpdatingPermissionBoundary",
"Effect": "Deny",
"Action": [
"iam:PutUserPermissionsBoundary",
"iam:PutRolePermissionsBoundary"
],
"Resource": [
"arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
"arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
}
}
}
]
}
I currently have a S3 bucket policy that ONLY allows GET access if the user agent matches "ALLOW_USER_AGENT"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
}
}
I want to modify this policy so that it allows GET access if the user agent matches "ALLOW_USER_AGENT" OR if the origin IP is 11.11.11.11
Here is my first crack at this policy. Is this the right policy? I want to allow GET access if 1 of these 2 statements are true (not both)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
},
{
"Sid": "SourceIP",
"Action": "s3:GetObject",
"Effect": "Deny",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
]
},
"Principal": {
"AWS": "*"
}
}
]
}
According to your requeriments the Allow/Deny rules should be:
C1 (condition 1): aws:UserAgent = ALLOW_USER_AGENT
C2 (condition 2): aws:SourceIp = 11.11.11.11/32
The corresponding bucket policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-if-both-conditions-are-true",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
},
"IpAddress": {
"aws:SourceIp": "11.11.11.11/32"
}
}
},
{
"Sid": "deny-if-neither-conditions-are-met",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.11.11.11/32"
},
"ForAnyValue:StringNotEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
}
}
}
]
}
I have tested this policy and works as expected. Additionally, I have updated the operator "ForAllValues" by "ForAnyValue".
Use the curl command with "-A" option to set any User Agent.
Reference:
Creating a condition with multiple keys or values
I have restricted the read access on my entire bucket to specific IPs, e.g. 1.1.1.0 & 2.2.2.0 as per the bucket policy given below.
There's a file in it, s3://MYBUCKET/onefile.txt, to which I want to give another set of IPs read access, e.g. to 3.3.3.0 and 4.4.4.0. So that now onefile.txt can only be accessed by 3.3.3.0 and 4.4.4.0 but NOT by 1.1.1.0 & 2.2.2.0 or any other.
How can I accomplish that?
Current Permissions > Bucket Policy (e.g.)
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
Add explicit deny and allow statements for that file onefile.txt in addition to the existing statement in the Policy.
The updated bucket policy would look like,
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"3.3.3.0/20",
"4.4.4.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_2",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
How to create AWS policy giving access to some IPs addresses OR Lambda for Elasticsearch service.
So, that have access to ES from IPs and that Lambda have access to.
This no working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx",
"xxx"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:eu-central-1:xxx:function:xxx"
}
}
}
]
}
Thanks for help.
I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!
You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}