Menu
I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy):
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-access-only-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbccc"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbddd"
}
},
"Principal": "*"
}
]
}
If I use this:
"StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.
337
The Statement element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].
You can attach up to 20 managed policies to IAM roles and users.
AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas, name requirements, and character limits.
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied.
Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": [
"vpc-111bbccc",
"vpc-111bbddd"
]
},
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
