AWS, Technology

Restrict S3 bucket Access to VPC

Allow access to S3 bucket only from VPC
Currently I am evaluating options to lockdown permissions to my S3 Buckets as part of Security Enhancements.
These are the steps I followed to lock down S3 Bucket access only to my VPC.

Create VPC End Points
VPC End Points Screen Shot

Create VPC End Points
Create VPC End Points

Attach the S3 Bucket Policy to Restrict Access 

{
	"Version": "2012-10-17",
	"Id": "Policy123456789",
	"Statement": [
		{
			"Sid": "Stmt123456789",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::example-confidential/*",
			"Condition": {
				"StringNotEquals": {
					"aws:sourceVpc": "vpc-2f2b202b"
				}
			}
		}
	]
}
AWS Policy Generator
AWS Policy Generator

Access the Buckets Outside VPC
Once you have attached the policy, if you access the S3 Files through console not being on VPC , you will receive the error.

AccessDenied
Access Denied
14FB0BEFD8A0C8E5

JrFOr/6Fe20lyMxjCy6lPhJIJ8sj3kG7zSiel2kcvv6OUssHQ2W/e7bYTjD3hXjX2m1/aHB+G1I=

Access the Buckets from VPC
If you log into a EC2 Instance which is hosted on VPC , you will be able to access the s3 Bucket.

SSH Into your EC2 Machine and verify your VPC through Instance Meta Data Store.

[ec2-user]# curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/

01:ed:88:51:f6:29/

[ec2-user]# curl http://169.254.169.254/latest/meta-data/network//interfaces/macs/01:ed:88:51:f6:29/vpc-id

vpc-2f2b202b

If you execute s3 commands to access the bucket, you will be able to access the S3 Bucket without access denied error.

aws s3 ls example-confidential
aws s3 cp s3:://example-confidential/SampleConfidentialFile.txt  SampleConfidentialFile.txt

References :

AWS Documentation for VPC Endpoints
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

Adding S3 Policy to Restrict Access to specific VPC Only
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc

AWS Policy Generator
https://awspolicygen.s3.amazonaws.com/policygen.html

AWS Blog Post on VPC Endpoints
https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/

IAM Policy Elements Reference
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal_specifying/

You may also like...

 AWS RDS, SQL Server, Technology

AWS RDS First Touch Penalty

 LAMP, Technology

Apache Drill Setup and Usuage

 Technology

Nginx and PHP-FPM Setup

Leave a Reply

Your email address will not be published. Required fields are marked *