How do I restrict access to a static s3 website to a VPN

Question

I'm trying to secure access to an internal static website.

Everyone in the company is using a VPN to access our Amazon VPC so I would like to limit access to that site if you're using the VPN.

So I found out this documentation on AWS to use VPC endpoint which seems to be what I'm looking for.

So I created a VPC endoint with the folowing policy.

{
  "Statement": [
    {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
    }
  ]
}

On my S3 bucket, I verified that I could access index.html both from the regular Web and from the VPN.

Then I added the following bucket Policy to restrict to only the VPC Endpoint.

{
  "Id": "Policy1435893687892",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1435893641285",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789:user/op"
        ]
      }
    },
    {
       "Sid": "Access-to-specific-VPCE-only",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::mybucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpce": "vpce-1234567"
         }
       },
       "Principal": "*"
     }
  ]
}

Now Regular Web gets a 403 but I also get a 403 when I'm behind the company VPN.

Am I missing something?

Just because you are using a VPN to access your VPC... isn't really related, at all, to how a VPN user accesses S3. From wherever you are, you're still accessing S3 from the Internet, almost certainly. — Michael - sqlbot, Jul 03 '15 at 20:48
Well once on the VPN I use the VPC dns to resolve to internal hostnames, my understanding is that the VPC endpoint creates a dns routing rule for the s3 bucket that is then detected once you reached the endpoint and let's you through. — Paté, Jul 06 '15 at 14:22
That's not a correct understanding. Declaring a VPC endpoint for S3 does not change how DNS works. What it changes is the VPC routing tables -- to route traffic directly from the selected subnets to S3, from inside the VPC, but the destination IP addresses of the service aren't modified. They're still the *public* addresses of the service (S3). *"The prefix list ID logically represents the range of public IP addresses used by the service*" -- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-routing Your choice of DNS resolver is not a factor. — Michael - sqlbot, Jul 06 '15 at 23:39
Michael - yours is not correct understanding... The traffic does not go to the internet: "Your instances do not require public IP addresses, and you do not need an Internet gateway, a NAT instance, or a virtual private gateway in your VPC. Traffic between your VPC and the AWS service does not leave the Amazon network." I need to look what the IP of the bucket is (I am not on VPN now); but it is certainly **not** accessible from Internet after straightforward installation - single bucket, single VPC. — Felix, Jul 13 '15 at 08:07
If it's possible to assign the S3 bucket a private/VPC IP address I think you're good -- if VPN is configured to tunnel traffic to VPC. If the S3 bucket has a *public* IP then you can restrict traffic from the S3 side ("only allow from this IP range") but then main problem there is how to get a VPN user's traffic to get routed through the VPN when requesting the S3 public IP. — Marius, Mar 19 '16 at 18:31

NotGaeL · Accepted Answer · 2015-07-13T17:32:43.837

@Michael - sqlbot is right.

It seems what you are doing is restrict access to the S3 bucket where you store that static web content to requests coming from a particular AWS VPC, using a VPC endpoint.

VPC endpoints establish associations between AWS services, to allow requests coming from INSIDE the VPC.

You can't get what you want with VPC and S3 ACL configuration, but you can get it with ACL and some VPN configuration.

Let's assume connecting to your company's VPN doesn't mean that all the traffic, including Internet traffic between the VPN clients and AWS S3 will be routed through that VPN connection, because that's how sane VPN configuration usually works. If that's not the case, ommit the following step:

Add a static route to your S3 bucket to your VPN server configuration, so every client tries to reach the bucket through the VPN instead of trying to establish a direct internet connection with it. For example, on OpenVPN, edit server.conf, adding the following line:

push "route yourS3bucketPublicIP 255.255.255.255"

After that you will see that when a client connects to the VPN it gets an extra entry added to its routing table, corresponding to the static route that tells it to reach the bucket trough the VPN.

Use S3 bucket ACLs "IpAddress" field to set the configuration you want. It should look something like this:

.

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}

You use IpAddress field to allow an IP or range of IPs using CIDR notation, and NotIpAddress field the same way for restricting an IP or range of IPs (you can ommit that one). That IP (or range of IPs) specified on IpAddress should be the public address(es) of the gateway interface(s) that route(s) your company's VPN Internet traffic (the IP address(es) S3 sees when somebody from your VPN tries to connect to it).

More info:

http://www.bucketexplorer.com/documentation/amazon-s3--access-control-list-acl-overview.html

http://aws.amazon.com/articles/5050/

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3

https://openvpn.net/index.php/open-source/documentation/howto.html

Do S3 buckets have static IPs?Is there any way to assign one? — Eleni, Oct 20 '15 at 18:39
@Eleni did you ever figure out the answer to your question above? — yangmillstheory, Feb 16 '17 at 04:48
It's been a while since I researched this but I think you could do that through VPC endpoint/elastic ip. OP had already figured out that part. Maybe check https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/ for more info. — NotGaeL, Feb 16 '17 at 07:42

score 1 · Answer 2 · answered Jul 13 '15 at 07:58

1

Actually, @Michael - sqlbot was right until until May 15, 2015. What you do is correct. You found the documentation (again, correctly) that allows you to set up S3 bucket within VPC (probably with no access from outside world), the same way you set up your EC2 machines. Therefore,

On my S3 bucket, I verified that I could access index.html both from the regular Web and from the VPN.

is a problem. If you didn't make mistakes, you shouldn't be able to access the bucket from regular Web. Everything that you did afterwards is irrelevant - because you didn't create S3 bucket inside your VPN-connected VPC.

You don't give much details as to what you did in your very first step; the easiest is probably to delete this bucket and start from the beginning. With the need to set up route tables and what not it is easy to make a mistake. This is a simper set of instructions - but it doesn't cover as much ground as the document that you followed.

But any links that predate this capability (that is, any links before May 2015) are irrelevant.

answered Jul 13 '15 at 07:58

Felix

9,248
10
57
89

I did get the configuration to only allow request from inside the VPC. Meaning from regular Web I get 403 and from one of our AWS instances if I curl I do have access. Unfortunately I doesn't work when I'm on the VPN even though it's using the VPC. I ended up using the solution described by @elcodedocle and restricting by ip address of the VPN – Paté Jul 13 '15 at 15:47
1

@Felix You are right and Michael too. The connection does not originate on an EC2 instance, so you either give up on name solving your bucket's private address (bad idea) or edit the hosts file on all of your VPN clients, one by one ( or set up / modify an internal DNS and force all connected clients to use it as primary DNS ), to add the required extra DNS configuration so the bucket name is solved to its VPC private IP instead of the public one. – NotGaeL Jul 13 '15 at 18:02
Using the bucket's public IP requires no extra steps or complexity apart from that single line on the VPN server config file. The ACL is also quite simple, not much more complex than just blocking all public traffic. And the big upside is that you can easily add other networks to the ACL as you please, internal or external. – NotGaeL Jul 13 '15 at 18:13
@Paté were you able to get this to work with SSL/TLS enabled for your static site? – yangmillstheory Feb 16 '17 at 05:01

How do I restrict access to a static s3 website to a VPN

2 Answers2

Linked