I have the following use case on AWS:
In order to ensure the bucket contents is only served internally, I've used the following bucket policy which restricts access to our static IP:
{
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "x.x.x.x/32"
                    ]
                }
            }
        }
    ]
}
This works perfectly in stopping anyone outside our office from accessing the bucket over HTTP. Perfect.
However, the servers in the auto scaling group (which have full permission on the bucket using IAM roles) cannot access the bucket. It seems the S3 bucket policy takes precedence. I cannot add their IPs to the bucket policy since it's a scaling group and their IPs will change on a regular basis.
I've tried a few solutions but had no joy:
I feel like this should be simple but I'm getting frustrated now :(
To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must explicitly allow the user-level permissions. You can explicitly allow user-level permissions on either an AWS Identity and Access Management (IAM) policy or another statement in the bucket policy.
To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your VPC. Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources.
I realised all the objects in my bucket had public read ACL. I removed the public read ACL so objects defaulted to "deny". I was then able to use a policy like this to allow access to our office IP AND our auto scaling EC2 servers, which are identified by their IAM role:
{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "x.x.x.x/32"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:role/xxxxxx"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*"
        }
    ]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With