Reputation: 3625
AWS - How to limit Amazon S3 access to a VPC
I would like to create a policy and attach it to the user, which will only allow them to access to Amazon S3 from an EC2 instance that is on specific VPC. Tried below logic, but, it is not allowing user to access Amazon S3 even the EC2 instance is running on vpc-35test12.
Is there a way to block user from accessing Amazon S3 but allow them only from specific vpc or subnet ?
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringLike": {
"aws:SourceVpc": "vpc-35test12"
}
}
Upvotes: 1
Views: 874
Answers (2)
Reputation: 513
I think you are better off creating a specific IAM role and assign it to the instances you want to allow accessing the S3 bucket. After that block all other access to the bucket with an explicit Deny for "Principal" : "*" and aws:userId or aws:PrincipalArn. Here an example policy
{
"Sid":"ItIsOkToDoThis",
"Effect":"Deny",
"Action":"*",
"Principal":"*",
"Resource":[
"arn:aws:s3:::ACCESSIBLE_S3_BUCKET/*",
"arn:aws:s3:::ACCESSIBLE_S3_BUCKET"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"UNIQUE_ROLE_ID:*"
]
}
}
}
Have a look at this article for more details https://levelup.gitconnected.com/how-i-locked-the-whole-company-out-of-an-amazon-s3-bucket-1781de51e4be
Best, Stefan
Upvotes: 0
Reputation: 8603
The condition aws:SourceVpc works when you have a VPC endpoint for s3. because all the traffic to S3 goes through the public internet only even if the request is originated from the VPC. If you want the VPC to access the S3 privately via internal amazon network (without going through public internet), You will need to create a VPC endpoint for s3 and then use the aws:SourceVpc condition to restrict access only to the VPC.
If you just want to allow access to S3 from an EC2 instance, As @Ervin suggested:
- Block public access on S3
- Associate an IAM role to the EC2 instance
- assign an IAM policy to the Role allowing access to S3
Upvotes: 3
Related Questions
- Restricting S3 bucket access to a VPC
- How to limit IAM user access to an S3 bucket from a VPN connection only
- AWS S3 bucket restrict accss
- Restricting Access to S3 buckets from a VPC only
- VPC access policy for S3 buckets
- Restrict access to objects in S3
- Allow S3 Bucket access from either specific VPC or console
- Restrict access to S3 based on EC2 Instance and User
- How do I limit access to S3 Bucket for particular IAM Role?
- How to restrict Amazon S3 API access?