restrict access to s3 bucket only to specific ec2 instances

Question

I have generated the below policy but it still allows all other ec2 instances to access my bucket. what change should I make to this policy? what I want is my bucket to be accessible only to the instance I have mentioned and not to any other instance

{
  "Id": "Policy1507871740101",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1507871738318",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/*,
      "Principal": {
        "AWS":"arn:aws:ec2:region:userid:instance/instanceid"
      }
    }
  ]
}

Answer 1

You cannot specify instance ID but you can specify IP address in an S3 policy.

However, you have another problem. If your EC2 instances can already access S3, either you have made the bucket public or you have assigned a role to the instance granting permission. Review this first. Find your security holes first.

Below is an example policy for S3 using IP addresses to grant or deny access:

    {
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}