Use Case#

Problem#

Block all traffic to my Amazon Simple Storage Service (Amazon S3) bucket unless the traffic is from specific Amazon Virtual Private Cloud (VPC) endpoints or certain external IP addresses.

Resolution#

Use a bucket policy to specify which VPC endpoints or external IP addresses can access the S3 bucket.

Note: An external IP address is a public IP address that can be from within a VPC or outside of a VPC. For example, an external IP address can be an Amazon Elastic Compute Cloud (Amazon EC2) instance’s Elastic IP address, or the IP address of a VPC’s NAT gateway or proxy server.

For example, the following bucket policy blocks traffic to the bucket unless the request is from specified VPC endpoints (aws:sourceVpce) or external IP addresses (aws:SourceIp). Note the following:

  • To use this policy with the aws:sourceVpce condition, you must have a VPC endpoint for Amazon S3 attached to the route table of the EC2 instance’s subnet. The VPC endpoint must be in the same AWS Region as the bucket.

  • To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must explicitly allow the user-level permissions. You can explicitly allow user-level permissions on either an AWS Identity and Access Management (IAM) policy or another statement in the bucket policy.

Warning: This example bucket policy explicitly denies access to any requests outside the allowed VPC endpoints or IP addresses.

{
  "Version": "2012-10-17",
  "Id": "VPCe and SourceIP",
  "Statement": [{
    "Sid": "VPCe and SourceIP",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::awsexamplebucket",
      "arn:aws:s3:::awsexamplebucket/*"
    ],
    "Condition": {
      "StringNotEquals": {
        "aws:sourceVpce": [
          "vpce-1111111",
          "vpce-2222222"
        ]
      },
      "NotIpAddress": {
        "aws:SourceIp": [
          "11.11.11.11/32",
          "22.22.22.22/32"
        ]
      }
    }
  }]
}

Allow specific users (within the same AWS account) access to the bucket even if the users aren’t sending requests from the allowed VPC endpoints or IP addresses

"StringNotLike": {
    "aws:userId": [
    "AROAEXAMPLEID:*",
    "AIDAEXAMPLEID",
    "111111111111"
    ]
}

  • AROAEXAMPLEID is the role ID of an IAM role that you want to allow

  • AIDAEXAMPLEID is the user ID of an IAM user that you want to allow

  • 111111111111 is the AWS account ID of the bucket, which represents the account’s root credentials

Backward AWS: S3 - 2 AWS: SQS,SNS,SES - 1 Forward