0

So I want my S3 bucket to be publicly accessible but only if the request is sent through the VPC endpoint. I allowed public access on both my bucket level and account level and also added the following statements to my bucket policy:

        {
        "Effect": "Allow",
        "Principal": "*",
        "Action": [
            "s3:GetObject",
            "s3:ListBucket"
        ],

        "Resource": [
            "${media_storage_bucket_arn}",
            "${media_storage_bucket_arn}/*"
        ]
    },

    {
        "Sid": "Access-to-specific-VPCE-only",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::${current_account}:root"
        },
        "Action": [
            "s3:GetObject",
            "s3:ListBucket"
        ],
        "Resource": [
            "${media_storage_bucket_arn}",
            "${media_storage_bucket_arn}/*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "${vpc_endpoint}"
            }
        }
    }

I have an EC2 server in a private subnet that needs to read images from an S3 bucket using a curl command and the object URL, so far, the easiest way to accomplish this would be to lift all the public access blocks, but this compromises the safety of the files in the bucket, so that is why I implemented the vpc endpoint statement to restrict access if the request is not sent through the endpoint, This works fine, but it still allows me to read any object in the bucket through its URL even if the request is not sent through the vpc endpoint. I'm sure there has to be an easier/better approach.

Tegue Morrison
  • 21
  • 4
  • Can you clarify what you want to achieve? You can't have public bucket which is readable only through a VPC endpoint. Something like that is called a private bucket. – Marcin Sep 29 '22 at 09:42
  • I have an EC2 server in a private subnet that needs to read images from an S3 bucket using a curl command and the object URL, so far, the easiest way to accomplish this would be to lift all the public access blocks, but this compromises the safety of the files in the bucket, so that is why I implemented the vpc endpoint statement to restrict access if the request is not sent through the endpoint, I'm sure there has to be an easier/better approach? – Tegue Morrison Sep 29 '22 at 10:00
  • So you want basically a private bucket accessible only through VPC endpoint? – Marcin Sep 29 '22 at 10:07
  • @Marcin, as long as I can send curl https requests to the bucket and retrieve the object, it can be a private bucket. – Tegue Morrison Sep 29 '22 at 10:30
  • 1
    Your policy seems to be granting public access to _everything except_ the VPC Endpoint! It should only need an Allow, limited to the VPC Endpoint. This might help: [Restricting S3 bucket access to a VPC](https://stackoverflow.com/a/30794315/174777) – John Rotenstein Sep 29 '22 at 10:40

0 Answers0