Narayanan M
Reputation: 21
VPC access policy for S3 buckets
I have a VPC, with a VPC endpoint that is associated with a particular route table, say RTB1. Subnet1 uses RTB1 while Subnet2 doesn't.
If I attach a policy to the S3 bucket, specifying the vpc-ID as in the policy below:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
Will this allow instances in Subnet2 to access the S3 bucket? Even though those instances are not routed through RBT1, which has the vpc-endpoint entry?
Upvotes: 1
Views: 152
Answers (1)
Narayanan M
Reputation: 21
Here is a summary of the behavior:
Scenario: Assume there is
- 1 VPC, vpc-111bbb22
- 3 subnets
*subnet-1111 behind s3 vpc endpoint vpce-1111,
*subnet-2222 behind s3 vpce-2222 and
*subnet-3333 which is not associated with any vpc endpoint.
- 1 S3 bucket named my_secure_bucket (NOTE: this bucket has to be in the same region as the VPC/VPC endpoints)
Using the above bucket policy, the accessibility is as follows:
subnet-1111 - can access
subnet-2222 - can access
subnet-3333 - cannot access
Upvotes: 1
Related Questions
- How to use a VPC endpoint to access my S3 bucket list/buckets?
- S3 Bucket access policy: Deny on IP range and VPC Endpoint not working
- Restricting S3 bucket access to a VPC
- AWS - How to limit Amazon S3 access to a VPC
- Access S3 bucket from VPC
- Restricting Access to S3 buckets from a VPC only
- Aws s3 access using vpc-endpoint
- S3 Bucket security, open access restricted by public IP and VPC endpoint
- Allow S3 Bucket access from either specific VPC or console
- AWS S3: user policy for specifc bucket