S3 bucket policy is not allowing Athena to perform query execution - amazon-web-services

I am performing Amazon Athena queries on an S3 bucket. Let's call it athena-bucket. Today I got a requirement to restrict this bucket over VPC Enpoints. So I have tried this S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"publicip/32",
"publicip2/32"
]
}
}
}
]
}
Please note that Athena has full permission to access the above bucket. I want to use the S3 bucket policy to restrict access from only certain IP addresses and VPC Endpoint.
However, I am getting access denied error although request is routed through VPC Endpoints mentioned in the policy.

Amazon Athena is an Internet-based service. It accesses Amazon S3 directly and does not connect via an Amazon VPC.
If you restrict the bucket to only be accessible via a VPC Endpoint, Amazon Athena will not be able to access it.

There is actually a solution for you to get what you are asking for. The following policy condition allows actions from all of your VPC endpoints and Athena:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
],
"aws:CalledVia": [ "athena.amazonaws.com" ]
}
}
}
]
}
The "ForAllValues" portion of the condition is what turns this AND condition into an OR.
Not sure how your IP restrictions would play with this, since you cannot tell which IPs Athena would be coming from.

Related

"Access Denied" while doing S3 backup

I have a problem with S3 backup, using AWS Backup tool.
I want to have S3 bucket backed up but I am receiving Access Denied error all the time.
I am quite sure, that the problem is with the bucket policy, cause when I delete the policy backup works like it should.
This is my current policy:
{
"Version": "2012-10-17",
"Id": "Policy1558438618388",
"Statement": [
{
"Sid": "Stmt1558438593926",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket-name-here>",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"<some-ip-address>/32",
"<some-ip-address>/32",
"<some-ip-address>/32",
"<some-ip-address>/32"
]
},
"ArnNotEquals": {
"aws:username": [
"arn:aws:iam::<some-user-arn>",
"arn:aws:iam::<some-user-arn>",
"arn:aws:iam::<some-user-arn>",
"arn:aws:iam::<some-user-arn>"
]
}
}
}
]
}
I can't figure it out using AWS docs what should I add here in that policy as a condition, to allow AWS Backup tool doing it's job?
As I said before, When I delete the policy everything works fine.

How can I add IP restrictions to s3 bucket(in the bucket Policy) already having a User restriction

I have a few s3 buckets, for which I have given access to only a specific IAM user. I did it by setting the following bucket policies :
Effect : "Deny"
NotPrincipal : { "AWS " : "<My_IAM_User>" }
I'm able to access the buckets only from the IAM user, so the policy works as expected, but I also want to restrict the bucket access to only a specific IP. This IP is the ec2 IP address my server is running on. The policy values I've used is as :
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"<My_EC2_Server_IP_Address>"
]
}
}
I was expecting the above policy would allow only my EC2 server to access the s3 bucket objects, but if I'm making a call from any other IP ( eg : running the server on my local machine and trying to access the buckets. ) it's still responds with valid objects from the bucket.
The above policy does NOT seem to block any request to access the bucket is made from other random IP addresses.
My entire bucket policy looks like :
{
"Version": "<Version_value>",
"Statement": [
{
"Sid": "<Sid_value>",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "<My_IAM_User>"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "<My_EC2_Server_IP_Address>"
}
}
}
]
}
My References :
1. https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
2. https://medium.com/#devopslearning/100-days-of-devops-day-11-restricting-s3-bucket-access-to-specific-ip-addresses-a46c659b30e2
If your intention is to deny all AWS credentials except a given IAM user and to deny all IP addresses other than a given IP, then I would write that policy as two, independent deny statements.
Something like this:
{
"Version": "<Version_value>",
"Statement": [
{
"Sid": "deny1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "<My_IAM_User>"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*"
},
{
"Sid": "deny2",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<My_Bucket_name>/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "<My_EC2_Server_IP_Address>"
}
}
}
]
}
Be careful with the IP address condition. Unless you are using an Elastic IP, your EC2 instance's IP can change e.g. if you stop then restart the instance.
Also note: you should not be using IAM User credentials on an EC2 instance. Instead, you should be using IAM Roles.

Is aws:SourceVpc condition key present in the request context when interacting with S3 over web console?

I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message.
Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well?
My assumption is that it is present in the request context as otherwise policy statement would have failed such that the statement's "Effect" does not apply because there is no "Ifexists" added to StringNotEquals - Asking this question as I could not find this information in AWS Documentation. Even after adding "Ifexists" to StringNotEquals, results are same - can someone confirm?
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-0xy915sdfedb5667"
}
}
}
]
}
Yes, you are right. I tested the following bucket policy, the operations from the AWS S3 console are denied.
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringLike": {
"aws:sourceVpc": "vpc-30*"
}
}
}
]
}
It means there is definitely some vpc id present in the request. It might be same for each account or it could be different.
This will apply to all requests interacting with S3. The console just provides a GUI on top of the AWS API.

AWS S3 IAM policy for role for restricting few instances to connect to S3 bucket based in instance tag or instance id

I have a AWS S3 already associated with all the instances for read privileges to all S3 buckets. Now I need to add a policy to the roles for write privileges(Put object) so that a few of these instances can have write permissions to certain folders in the S3. Is there any way to achieve it through instance tag(better option for me) or instance id.
I tried adding an IAM policy but when I set the condition, my instances are not getting the required privileges.
The IAM policy I used is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1456567757624",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/testfolder1/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid1>"
}
}
},
{
"Sid": "Stmt1456567757625",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/testfolder2/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid2>"
}
}
}
]
}
Here's an alternative, based on hints given in Granting access to S3 resources based on role name...
Instead of using aws:SourceArn, use aws:userid!
The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:
For Role assigned to an Amazon EC2 instance, it is set to role-id:ec2-instance-id
Therefore, you could use the Role ID of the role that is used to launch the Amazon EC2 instance to permit access OR the Instance ID.
For example, this one is based on a Role ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"AROAIIPEUJOUGITIU5BB6*"
]
}
}
}
]
}
Of course, if you are going to assign permission based on a Role ID, then you can just as easily grant permissions within the Role itself.
This one is based on an Instance ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"*:i-03c9a5f3fae4b630a"
]
}
}
}
]
}
The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).
The IAM Policy Elements Reference documentation says:
aws:SourceArn – To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services.)
However, the documentation does not state which services can use it.
There are examples available for its use with SQS and SNS, with a sourceARN of an Amazon S3 bucket and also using sourceARN with Lambda. However, it does not appear to be supported with Amazon EC2.

Amazon S3 objects: is it possible to restrict public read policy to some IP adresses only ?

A have a bucket with a public read policy. Now I want to restrict access to some of the objects in order to be accessible only from some IP adresses. Is this possible?
I also plan to add CloudFront. What should I do to keep the same settings on each object?
Thanks!
You can use S3 bucket policy. But instead of individual files it will be applied to individual folders in the bucket. You can use policy like the following:
{
"Version": "2008-10-17",
"Id": "testPolicy",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/subfolder/subfolder2/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx.xxx.xxx.xxx/xx",
"xxx.xxx.xxx.xxx/xx"
]
}
}
}
]
}
User your bucket name and folder names, and IPs.
Note: Please try it first on a non production bucket.