I'm trying to implement a batch virus scanner. I have a cron job set up to periodically scan unscanned files stored on S3. Whenever I try to wget the file, I get a 403.
I've set up this policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyIPRestrict",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "ip of my address/32"
}
}
}
]
}
Any idea what I'm doing wrong?
Use the below bucket policy if you want to allow specfic ip address to access the files on s3 bucket.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucket>",
"arn:aws:s3:::<bucket>/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "<IP>/32"
}
}
}
]
}
Related
I created bucket policy below, but I can't access any images from server I set up the other day(got 403). How can I allow specific IP address in the condition?
{
"Version": "2012-10-17",
"Id": "Policy1527266936788",
"Statement": [
{
"Sid": "Stmt11111111,
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::xxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xx.xx.xxx.xxx/24"
}
}
}
]
}
I am using AWS Elasticsearch and I need to setup an access policy to allow access from fixed IP to access the Kibana and the web interface. I also want to allow a specific user access key to be able to access it from any IP, as the records will be inserted from our servers.
So it boils down to create a policy where I need an or relation between IP and ARN.
Here is how my IP policy looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xx.xx.173"
}
}
}
]
}
and here is how my ARN policy looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxx:user/xxxx"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
}
]
}
How can I get an or relation between them?
If I'm understanding your question properly you should be able to achieve what you want by adding the two statement objects into the statement array like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xx.xx.173"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxx:user/xxxx"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
}
]
}
I'm trying to prevent hotlinking of images in my S3 bucket. I thought bucket policy this would work but so far no luck:
{
"Version": "2008-10-17",
"Id": "Bucket policy for example.com",
"Statement": [
{
"Sid": "Allow GET requests referred by example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.example.com/*",
"http://www.example.com/*",
"https://example.com/*",
"http://example.com/*"
]
}
}
},
{
"Sid": "Allow GET requests that don't specify a referrer",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"Null": {
"aws:Referer": true
}
}
}
]
}
How do I make it so this policy denies access to images embedded on other websites?
After setting up AWS Elasticsearch, I installed Logstash and Kibana proxy on a static IP server, and added this domain access policy on ES and it's working fine:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
}
]
}
Now I need to allow Lambda function to execute es:ESHttpDelete action on AWS ES, so I created the function with the existing role service-role/Elasticsearch then copied the relevent ARN from IAM Managment console to add it to AWS ES access policy, to come up with this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
The problem is on ES I should either choose domain access policy for Static IP or ARN but not both. When I tried to merge them manually not by using the console it didn't work. I checked AWS documentation but they didn't mention if is that possible or not.
You can add multiple policy statements inside the Statement array in the JSON format of policy. So, your final policy would be something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
I have a private s3 bucket. I am trying to access it with the authorization. I am managing to do that only by generated a pre-signed url for each object in the bucket using AWS-SDK, which is not practical at all.
Also I have tried configuring the bucket policy and give premission only to a specific range of ips, but it won't work. How can I see what's wrong there?
What do you think is the best approach for accessing a private bucket? I am a bit confused.
policy:
{
"Version": "2008-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "public/private IP of ec2 instance/32"
}
}
},
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "myIPAddress/32"
}
}
}
]
}
I think by default accounts are restricted from accessing S3 unless they have been given access via policy. However, S3 is designed by default to allow any IP address access. So to block IP's you would have to specify denies explicitly in the policy instead of allows.
You Should flip around the policy from allowing access from only my IP address to denying access from everywhere that is NOT my IP address.
So I Think You Might be Using this :
{
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::: bucketname",
"Condition": {
"IpAddress": {
"aws:SourceIp": "CIDR Of Allowed IP"
}
}
}
]
You Should Try This :
{
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::: bucket name*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "CIDR Of Allowed IP"
}
}
}
]
I Hope This Helps