Allow lambda function to access S3 bucket but block external IPs

Question

I am trying to write in a S3 bucket with the help of a lambda function but would like to have the S3 bucket accessible only to IPs inside office network.

I have used this bucket policy but this does not allow my lambda to write to the S3 bucket, when i remove the IP blocking part, lambda function works fine.

How can i change this bucket policy so that it allows lambda to write but does not allow external IPS to access the S3 bucket?

Thanks!

{


"Version": "2012-10-17",

    "Id": "",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket.net/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "230513111850"
                }
            }
        },
        {
            "Sid": "AllowECSPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::mybucket.net/*"
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::abc.net/*",
                "arn:aws:s3:::abc.net"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAJIS5E4JXTWB4RTX3I:*",
                        "230513111751"
                    ]
                },
                "NotIpAddress": {
                    "aws:SourceIp": [
                      "81.111.111.111/24" --dummy IP
                    ]
                }
            }
        }

    ]
}

Answer 1

As a general rule, it makes life easier if you can avoid Deny statements in policies.

Therefore, you could configure:

• An Amazon S3 bucket with a Bucket Policy that permits access from the desired CIDR range
• An IAM Role for the Lambda function that permits access to the Amazon S3 bucket

There should be no need for a Deny statement in the bucket policy since access is denied by default.

Answer 2

One typical approach is to place the lambda function inside a private VPC subnet. Then attach an S3 gateway VPC endpoint to it and set the corresponding S3 bucket policy to only allow certain actions performed from the VPC endpoint. [ref]