Restricting Access to S3 buckets from a VPC only

Question

I have few buckets in S3 where I want to limit access. In the process of implementing this I am now confused and appreciate your help in making me understand this.

This is my scenario --

Created a VPC, Public Subnet, ec2.
Created a bucket using an admin user --aws1234-la
Created a bucket policy and attached to the bucket saying allow access only if coming from my vpc.

 "Statement": [
     {
        "Sid": "Access-to-specific-VPC-only",
       "Principal": "*",
        "Action": "s3:*",
        "Effect": "Deny",
        "Resource": ["arn:aws:s3:::aws1234-la",
                     "arn:aws:s3:::aws1234-la/*"],
       "Condition": {
          "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbb22"
        }
        }
    }    ] }

Next, from CLI , aws s3 ls

It is displaying the buckets.

Where I am making a mistake ? Ideally step 4 should return an error as I am not going thru my VPC ?

Any help will be hightly appreciated.

Thanks

I will try to run aws s3 ls from my ec2 in the vpc and update in the next hour — Judi, Nov 23 '19 at 12:25
@TuanVA I created a role for ec2 with s3:List*.The output is showing the bucket where I have denied access using bucket policy. Where I am making this mistake ? — Judi, Nov 23 '19 at 12:45
Related: [StackOverflow: Restricting S3 bucket access to a VPC](https://stackoverflow.com/q/25539057/174777) — John Rotenstein, Nov 23 '19 at 21:35

score 1 · Answer 1 · answered Nov 23 '19 at 21:34

From Specifying Conditions in a Policy - Amazon Simple Storage Service:

The new condition keys aws:sourceVpce and aws:sourceVpc are used in bucket policies for VPC endpoints.

Therefore, you need to be accessing the S3 bucket via a VPC Endpoint to be able to restrict access to a VPC. This is because, without the VPC Endpoint, the request being received by Amazon S3 simply appears to be coming "from the Internet", so it is not able to identify the source VPC. In difference, a request coming via a VPC Endpoint includes an identifier of the source VPC.

Making it work

Assumption: You already have an IAM Policy on your user(s) that allow access to the bucket. You are wanting to know how to further restrict the bucket so that it is only accessible from a specific VPC. If this is not the case, then you should be using an Allow policy to grant access to the bucket, since access is denied by default.

To reproduce your situation, I did the following:

Created a new VPC with a public subnet
Added a VPC Endpoint to the VPC
Launched an Amazon EC2 instance in the public subnet, assigning an IAM Role that already has permission to access all of my Amazon S3 buckets
Created an Amazon S3 bucket (my-vpc-only-bucket)
Added a Bucket Policy to the bucket (from Example Bucket Policies for VPC Endpoints for Amazon S3):

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPC-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-vpc-only-bucket",
                    "arn:aws:s3:::my-vpc-only-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbb22"
         }
       }
     }
   ]
}

Please note that this policy assumes that the user(s) already have access to the bucket via an IAM Policy that grants Allow access. This policy is adding a Deny that will override the access they already have to the bucket.

Logged in to the Amazon EC2 instance in the new VPC and then:
- Run aws s3 ls s3://my-vpc-only-bucket
- It worked!
From my own computer on the Internet:
- Run aws s3 ls s3://my-vpc-only-bucket
- Received a AccessDenied error (which is what we want!)

By the way, the Deny policy will also prohibit your use of the Amazon S3 management console to manage the bucket because requests are not coming from the VPC. This is a side-effect of using Deny and s3:* on the bucket. You can always remove the bucket policy by using your root credentials (login via email address), then go to the Bucket Policy in the S3 console and click Delete. (You'll see some errors on the screen getting to the Bucket Policy, but it will work.)

Alternate method via Allow

If, on the other hand, the user(s) do not already have access to all Amazon S3 buckets, then by default they will not have access to the new bucket. Thus, you will need to grant Allow access to the bucket, but only from the VPC via the VPC Endpoint.

Setup is the same as above, but the Bucket Policy would be:

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPC-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Allow",                    <-- This changed
       "Resource": ["arn:aws:s3:::my-vpc-only-bucket",
                    "arn:aws:s3:::my-vpc-only-bucket/*"],
       "Condition": {
         "StringEquals": {                   <--- This changed
           "aws:sourceVpc": "vpc-111bbb22"
         }
       }
     }
   ]
}

I then tested it with an IAM Role assigned to the EC2 instance that does not have any permissions to access Amazon S3
Ran aws s3 ls s3://my-vpc-only-bucket
- It worked!
Ran from my own computer, using an IAM User that does not have any permissions to access Amazon S3
- Received a AccessDenied error (which is what we want!)

Bottom line: You need to add a VPC Endpoint to the VPC.

I don't have root access so moved to Allow as I was unable to delete the bucket policy from console ( Thanks , your comments were very helpful !) Now I am still not able to get the desired results. my Objective is simple **I only want users to view a bucket if they are coming thru the vpce** I am getting positive results when I am accessing using mac. I using a role with s3* while using my mac.Ideally, mac should give an error. Any thoughts ? — Judi, Nov 25 '19 at 19:35
If your computer is using credentials that have access to `s3:*`, then you will have access to the bucket. This is because you can obtain access from _either_ the IAM Role _or_ the Bucket Policy. If you wish to retain the use of `s3:*` for some users while still preventing _ALL_ users from accessing the bucket from outside the VPC, then you will need to use a `Deny` to override the `Allow`. You might be able to tweak it so that it only limits the ability to `GetObject` rather than blocking all usage (to avoid the problem deleting the bucket policy). — John Rotenstein, Nov 25 '19 at 21:06
Understood the problem at least as my mac is using access keys which has an IAM role with S3:*. Thanks ! **Now how do I find the solution ? So, the Deny will be in the Bucket policy -- Correct ? Also, how did you you manage to post a long answer to my question ?** It is limiting me some 500 characters when I am adding this comment. I would like to show you my complete solution. Thanks ! — Judi, Nov 26 '19 at 01:57
Answers ≠ Comments. If you have a solution to your Question, you are welcome to post your own Answer. If you want to clarify your Question, you can edit the Question to add more content. — John Rotenstein, Nov 26 '19 at 02:51
If your requirement is that _ALL_ users, even those with `s3:*` permission, can only access the bucket via the VPC Endpoint, then yes, you will need to use a Bucket Policy with a `Deny` as shown in your Question. However, you could reduce it to `s3:GetObject` to reduce the impact. — John Rotenstein, Nov 26 '19 at 02:53
@ John This means I will have a bucket policy on the buckets with S3:GetObject and then no IAM policy for these buckets. But if I have 50+ buckets and want to allow access to only 5 buckets using bucket policy and remaining 45+ thru IAM then How will I restrict the 5 in IAM policy ? Please help -- Thank ! — Judi, Nov 26 '19 at 14:23
Sorry, but I'm quite confused by the scenario. The general rule is: Use `Allow` in an IAM Policy to grant access based on the user. Use `Allow` in a Bucket Policy to grant access to 'public' or for special situations. Only use `Deny` in IAM/Bucket Policies if you need to override a previously granted `Allow`. Feel free to create a new Question if you wish to dig-in further on this topic, rather than doing it via comments on this question. — John Rotenstein, Nov 26 '19 at 23:58

score 0 · Answer 2 · answered Nov 23 '19 at 11:14

0

Since you specified the resource at the bucket level, it will denied all the operations inside the bucket. However, the listing of the bucket is acting on the resource arn:aws:s3:::*, and it is not denied, thus the bucket will be displayed even if you are not inside of the VPC.

AFAIK, there is no way to partially hide only for the bucket without blocking all the buckets.

answered Nov 23 '19 at 11:14

Lamanus

12,898
4
21
47

If I understand your answer - I am not specifying arn:aws:s3:::* anywhere so where is it getting that privilege. – Judi Nov 23 '19 at 12:31
Can you please help me get over this confusion. Is listbucket there by default ? I am not assigning. – Judi Nov 23 '19 at 12:50
However if I do aws s3 ls s3://aws1234-ls I get the following error. ```An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied``` – Judi Nov 23 '19 at 12:59
That is expected because you deny the list objects action in a bucket path level. So, you do not have permission to see the object list in your bucket. – Lamanus Nov 23 '19 at 21:58

Restricting Access to S3 buckets from a VPC only

2 Answers2