How to create AWS policy giving access to some IPs addresses OR Lambda for Elasticsearch service.
So, that have access to ES from IPs and that Lambda have access to.
This no working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx",
"xxx"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:eu-central-1:xxx:function:xxx"
}
}
}
]
}
Thanks for help.
Related
I am attempting to deploy a SSM Inventory Collection and a Resource Data Sync via Cloudformation in 15 accounts. I am able to manually add each account by adding a statement in the central s3 bucket for proper access. I was wondering is there a way to create a policy that allows newly created AWS accounts in the future to have proper access without adding a statement to the s3 bucket policy. Below is the documentation I have followed. I was using this method to add each account below
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
Further in the documentation, I see you can create a resource data sync for accounts defined in AWS Organizations. But this still doesnt accomplish granting any new accounts where template gets deployed, access will be granted.
Creating an inventory resource data sync for accounts defined in AWS Organizations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}
I have played around with a few policies but doesn't seem to work
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}
Try this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}
I currently have a S3 bucket policy that ONLY allows GET access if the user agent matches "ALLOW_USER_AGENT"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
}
}
I want to modify this policy so that it allows GET access if the user agent matches "ALLOW_USER_AGENT" OR if the origin IP is 11.11.11.11
Here is my first crack at this policy. Is this the right policy? I want to allow GET access if 1 of these 2 statements are true (not both)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
},
{
"Sid": "SourceIP",
"Action": "s3:GetObject",
"Effect": "Deny",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
]
},
"Principal": {
"AWS": "*"
}
}
]
}
According to your requeriments the Allow/Deny rules should be:
C1 (condition 1): aws:UserAgent = ALLOW_USER_AGENT
C2 (condition 2): aws:SourceIp = 11.11.11.11/32
The corresponding bucket policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-if-both-conditions-are-true",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
},
"IpAddress": {
"aws:SourceIp": "11.11.11.11/32"
}
}
},
{
"Sid": "deny-if-neither-conditions-are-met",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.11.11.11/32"
},
"ForAnyValue:StringNotEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
}
}
}
]
}
I have tested this policy and works as expected. Additionally, I have updated the operator "ForAllValues" by "ForAnyValue".
Use the curl command with "-A" option to set any User Agent.
Reference:
Creating a condition with multiple keys or values
The below S3 bucket policy to access alb logs from another account of same region with Deny policy doesn't work, I tried with a Condition but no luck
If I use "Allow" it works but I need to use Deny as per my company policy and allow based on condition
127311923021 - us-east-1
Any ideas please?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "arn:aws:s3:::myelbogs/prefix/*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myelbogs",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
}
]
}
I have restricted the read access on my entire bucket to specific IPs, e.g. 1.1.1.0 & 2.2.2.0 as per the bucket policy given below.
There's a file in it, s3://MYBUCKET/onefile.txt, to which I want to give another set of IPs read access, e.g. to 3.3.3.0 and 4.4.4.0. So that now onefile.txt can only be accessed by 3.3.3.0 and 4.4.4.0 but NOT by 1.1.1.0 & 2.2.2.0 or any other.
How can I accomplish that?
Current Permissions > Bucket Policy (e.g.)
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
Add explicit deny and allow statements for that file onefile.txt in addition to the existing statement in the Policy.
The updated bucket policy would look like,
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"3.3.3.0/20",
"4.4.4.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_2",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
I'm unable to access AWS ES cluster that has the following access policy, My IP is one of the IP listed, please advise if you there is something missing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*"
}
]
}
I did some more digging, I believe this is what you are looking for:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
}
]
}
There is some more detail here in my repo wiki page