AWS S3 Bucket Access Denied

Question

Here is the bucket policy that I implemented in my bucket.

    {
    "Id": "Policy1535460101139",
    "Version": "2012-10-17",
    "Statement": [
      {
       "Sid": "Stmt1535460099601",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": "arn:aws:s3:::bucketname",
       "Condition": {
       "StringNotEquals": {
          "aws:SourceVpc": "vpc-id"
        }
      },
      "Principal": "*"
    }
  ]
}

Just after saving this bucket policy I'm unable to list or do anything with my bucket from console(I have s3 full access) with everything displaying access denied. Hence when I tried to copy a file from one of the ec2 instances in the VPC the copy was successfull but I was unable to list the objects in the bucket. I get an access denied error msg.(The ec2 instance has a role with full permission to the bucket). Here is the Role attached to the EC2 instance.

    {
     "Version": "2012-10-17",
     "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucketname/*"
      }
    ]
  }

What I want to know is whether this weird behaviour is a cause of my bucket policy or it may be something else. If yes any tips on how can I change my bucket policy now? Moreover here is screenshot from my console.

vishal · Accepted Answer

The reason I was not able to access the bucket even from a instance inside the vpc was because I didn't have an VPC to S3 endpoint attached to the route table of the subnet the instance belonged to. The word "aws:SourceVpc" is used to allow multiple endpoint connections from the same VPC as mentioned in the documents contrary to what I thought i.e it will allow all request from the mentioned VPC. So the final solution for this question is you can remove the bucket poilcy from an instance present inside the mentioned VPC provided it belongs to a subnet that has a VPC to S3 endpoint attached to it.

AWS S3 Bucket Access Denied

Answers (2)

Related Questions