2

I have generated the below policy but it still allows all other ec2 instances to access my bucket. what change should I make to this policy? what I want is my bucket to be accessible only to the instance I have mentioned and not to any other instance

{
  "Id": "Policy1507871740101",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1507871738318",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/*,
      "Principal": {
        "AWS":"arn:aws:ec2:region:userid:instance/instanceid"
      }
    }
  ]
}
vishal
  • 1,646
  • 5
  • 28
  • 56
  • Did you add a bucket policy in S3 or add it to IAM role in EC2? – Ashan Oct 13 '17 at 05:29
  • I added this policy as my bucket policy. should i attach this to the IAM role too ??? (note:I already have IAM role attached to the instances) – vishal Oct 13 '17 at 05:37
  • 1
    You can't specify an instance in a bucket policy this way. S3 has no way of knowing which instance is accessing it. More importantly, you seem to be trying to solve the wrong problem. Specifically, if you want other instances to be unable to access a bucket, then *don't give those other instances access to the bucket.* You have already given them access via some other method, otherwise access would already be denied. Everything is denied by default. – Michael - sqlbot Oct 13 '17 at 11:58

2 Answers2

1

You cannot specify instance ID but you can specify IP address in an S3 policy.

However, you have another problem. If your EC2 instances can already access S3, either you have made the bucket public or you have assigned a role to the instance granting permission. Review this first. Find your security holes first.

Below is an example policy for S3 using IP addresses to grant or deny access:

    {
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}
John Hanley
  • 74,467
  • 6
  • 95
  • 159
0

Just to make it more clear: as was mentioned, you should:

  • remove the bucket policy
  • create an EC2 role instead
  • attach that role to the instances you want to have access
  • edit the role policy

Sample is below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::"
        }
    ]
}

Feel free to edit the first statement to add/remove necessary actions.

Putnik
  • 5,925
  • 7
  • 38
  • 58
  • thanks for your effort. but by attaching his policy as a role to the ec2 instance i could only limit the respective ec2 instance to access only the buckets mentioned in the policy but not stop the bucket being accessed by other instances. what I want is my bucket should be accessible only to the intstance i want and not to any other. is there a way? – vishal Oct 16 '17 at 05:13
  • You should remove access policy from bucket at all (unless you have other necessity). For *this* task the bucked does not have to have policy at all. Remove it and other instances won't have access there. This is the very first step in my list. – Putnik Oct 16 '17 at 11:40