0

I have a bucket my_super_bucket with the following statement:

"Statement": [
        {
            "Sid": "Stmt4214214",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_super_bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "my_super_ip_1",
                        "my_super_ip_2"
                    ]
                }
            }
        }
    ]

Previously, the bucket had public permission for List Objects, so as I want to only allow those two IPs, I removed that privilege. However, I still can access any file in this bucket from a different IP. Further troubleshooting, I took the following three steps:

  1. I thought it might be because of CloudFront cache, so tried to access the file directly with the S3 URL, still could download it.
  2. Added a "NotIpAddress": { "aws:SourceIp": "*"} to the conditions as well, still could access the files.
  3. Removed the Read object permission of each file. Now I can't access the file, no matter the SourceIP.

So, how can I achieve my goal to just allow certain IPs to access any file of a specific bucket? On IRC, a guy told me that these policies only apply to AWS CLI, but there must be a way to restrict access via URL as well, right?

  • Have you read https://stackoverflow.com/questions/52072277/grant-access-to-aws-s3-bucket-from-specific-ip-without-credentials/52072776?noredirect=1#comment91096223_52072776 – Kush Vyas Aug 29 '18 at 11:50
  • 1
    Are you using a CIDR block notation for the IP addresses? See the answers to https://stackoverflow.com/questions/11457635/amazon-s3-files-access-policy-based-on-ip-address and https://stackoverflow.com/questions/52072277/grant-access-to-aws-s3-bucket-from-specific-ip-without-credentials/52072776?noredirect=1#comment91096223_52072776 – Mark B Aug 29 '18 at 11:50
  • @KushVyas that change of logic to `deny` and `NotIpAddress` did the trick –  Aug 29 '18 at 11:56
  • No Worries you can upvote the answer as it helped you :) – Kush Vyas Aug 29 '18 at 12:01
  • Something is not right here. If you specified the source IPs correctly as CIDRs then the policy would not allow unauthenticated access from unlisted IPs. Yet you say you could access the bucket from an unlisted IP, so either you were mistaken (those users were authenticated e.g. by IAM) or the policy was not written correctly. Also, the suggestion to implement Deny/NotIpAddress will potentially block other valid IAM users, which is likely not what you want. And finally, generally speaking, allowing complete unauthenticated access (with all permissions) to a bucket is almost never a good idea. – jarmod Aug 29 '18 at 13:11
  • Verify the object-level permissions. Objects with `public-read` can be publicly read with no need for corresponding bucket policy. – Michael - sqlbot Aug 29 '18 at 15:07
  • @Michael-sqlbot that's precisely what I didn't want. I wanted the files on that bucket to be accessible only from a certain IP. –  Aug 29 '18 at 16:05
  • Right, so check your objects to see if you have set them to be publicly readable. That will explain why this doesn't work the way you expect. – Michael - sqlbot Aug 29 '18 at 20:06

1 Answers1

0

As mentioned in a comment by Kush Vyas, changing the policy so that instead of allowing a certain IP, it would deny every other IP did the trick.