How do I restrict access to a static s3 website to a VPN

Question

I'm trying to secure access to an internal static website.

Everyone in the company is using a VPN to access our Amazon VPC so I would like to limit access to that site if you're using the VPN.

So I found out this documentation on AWS to use VPC endpoint which seems to be what I'm looking for.

So I created a VPC endoint with the folowing policy.

{   "Statement": [     {         "Action": "*",         "Effect": "Allow",         "Resource": "*",         "Principal": "*"     }   ] } 

On my S3 bucket, I verified that I could access index.html both from the regular Web and from the VPN.

Then I added the following bucket Policy to restrict to only the VPC Endpoint.

{   "Id": "Policy1435893687892",   "Version": "2012-10-17",   "Statement": [     {       "Sid": "Stmt1435893641285",       "Action": "s3:*",       "Effect": "Allow",       "Resource": "arn:aws:s3:::mybucket/*",       "Principal": {         "AWS": [           "arn:aws:iam::123456789:user/op"         ]       }     },     {        "Sid": "Access-to-specific-VPCE-only",        "Action": "s3:*",        "Effect": "Deny",        "Resource": ["arn:aws:s3:::mybucket/*"],        "Condition": {          "StringNotEquals": {            "aws:sourceVpce": "vpce-1234567"          }        },        "Principal": "*"      }   ] } 

Now Regular Web gets a 403 but I also get a 403 when I'm behind the company VPN.

Am I missing something?

Answer 1

@Michael - sqlbot is right.

It seems what you are doing is restrict access to the S3 bucket where you store that static web content to requests coming from a particular AWS VPC, using a VPC endpoint.

VPC endpoints establish associations between AWS services, to allow requests coming from INSIDE the VPC.

You can't get what you want with VPC and S3 ACL configuration, but you can get it with ACL and some VPN configuration.

Let's assume connecting to your company's VPN doesn't mean that all the traffic, including Internet traffic between the VPN clients and AWS S3 will be routed through that VPN connection, because that's how sane VPN configuration usually works. If that's not the case, ommit the following step:

1. Add a static route to your S3 bucket to your VPN server configuration, so every client tries to reach the bucket through the VPN instead of trying to establish a direct internet connection with it. For example, on OpenVPN, edit server.conf, adding the following line:

   push "route yourS3bucketPublicIP 255.255.255.255"

After that you will see that when a client connects to the VPN it gets an extra entry added to its routing table, corresponding to the static route that tells it to reach the bucket trough the VPN.

2. Use S3 bucket ACLs "IpAddress" field to set the configuration you want. It should look something like this:

.

{   "Version": "2012-10-17",   "Id": "S3PolicyId1",   "Statement": [     {       "Sid": "IPAllow",       "Effect": "Allow",       "Principal": "*",       "Action": "s3:*",       "Resource": "arn:aws:s3:::examplebucket/*",       "Condition": {          "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},          "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}        }      }    ] } 

You use IpAddress field to allow an IP or range of IPs using CIDR notation, and NotIpAddress field the same way for restricting an IP or range of IPs (you can ommit that one). That IP (or range of IPs) specified on IpAddress should be the public address(es) of the gateway interface(s) that route(s) your company's VPN Internet traffic (the IP address(es) S3 sees when somebody from your VPN tries to connect to it).

More info:

http://www.bucketexplorer.com/documentation/amazon-s3--access-control-list-acl-overview.html

http://aws.amazon.com/articles/5050/

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3

https://openvpn.net/index.php/open-source/documentation/howto.html