Restrict access to S3 bucket by IP without affecting IAM credentials

Question

I have the following use case on AWS:

• A bucket which is used to "host" an internal-only web application built in AngularJS
• A pool of servers in an auto scaling group which can modify the contents of the bucket

In order to ensure the bucket contents is only served internally, I've used the following bucket policy which restricts access to our static IP:

{
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "x.x.x.x/32"
                    ]
                }
            }
        }
    ]
}

This works perfectly in stopping anyone outside our office from accessing the bucket over HTTP. Perfect.

However, the servers in the auto scaling group (which have full permission on the bucket using IAM roles) cannot access the bucket. It seems the S3 bucket policy takes precedence. I cannot add their IPs to the bucket policy since it's a scaling group and their IPs will change on a regular basis.

I've tried a few solutions but had no joy:

• Specifying a second statement with an "Allow" with my IAM role's ARN as the princple
• Tried looking for a way to allow an EC2 security group full access but couldn't find the option
• Tried looking for ways to make IAM roles have precedence over bucket policies

I feel like this should be simple but I'm getting frustrated now :(

Answer 1

I realised all the objects in my bucket had public read ACL. I removed the public read ACL so objects defaulted to "deny". I was then able to use a policy like this to allow access to our office IP AND our auto scaling EC2 servers, which are identified by their IAM role:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "x.x.x.x/32"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:role/xxxxxx"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mybucket.myhost.com/*"
        }
    ]
}