AWS: S3 - 3

Use Case

Problem

Block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from specific Amazon Virtual Private Cloud (VPC) endpoints or certain external IP addresses.

Resolution

Use a bucket policy to specify which VPC endpoints or external IP addresses can access the S3 bucket.

Note: An external IP address is a public IP address that can be from within a VPC or outside of a VPC. For example, an external IP address can be an Amazon Elastic Compute Cloud (Amazon EC2) instance’s Elastic IP address, or the IP address of a VPC’s NAT gateway or proxy server.

For example, the following bucket policy blocks traffic to the bucket unless the request is from specified VPC endpoints (aws:sourceVpce) or external IP addresses (aws:SourceIp). Note the following:

  • To use this policy with the aws:sourceVpce condition, you must have a VPC endpoint for Amazon S3 attached to the route table of the EC2 instance’s subnet. The VPC endpoint must be in the same AWS Region as the bucket.

  • To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must explicitly allow the user-level permissions. You can explicitly allow user-level permissions on either an AWS Identity and Access Management (IAM) policy or another statement in the bucket policy.

Warning: This example bucket policy explicitly denies access to any requests outside the allowed VPC endpoints or IP addresses.

{
  "Version": "2012-10-17",
  "Id": "VPCe and SourceIP",
  "Statement": [{
    "Sid": "VPCe and SourceIP",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::awsexamplebucket",
      "arn:aws:s3:::awsexamplebucket/*"
    ],
    "Condition": {
      "StringNotEquals": {
        "aws:sourceVpce": [
          "vpce-1111111",
          "vpce-2222222"
        ]
      },
      "NotIpAddress": {
        "aws:SourceIp": [
          "11.11.11.11/32",
          "22.22.22.22/32"
        ]
      }
    }
  }]
}

Allow specific users (within the same AWS account) access to the bucket even if the users aren’t sending requests from the allowed VPC endpoints or IP addresses

"StringNotLike": {
    "aws:userId": [
    "AROAEXAMPLEID:*",
    "AIDAEXAMPLEID",
    "111111111111"
    ]
}

  • AROAEXAMPLEID is the role ID of an IAM role that you want to allow

  • AIDAEXAMPLEID is the user ID of an IAM user that you want to allow

  • 111111111111 is the AWS account ID of the bucket, which represents the account’s root credentials