Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Condition to limit S3 access from AWS network only

0

I need to provide an assess to my S3 to partners companies which has their own AWS accounts

I'd like to limit access to my S3 bucket by AWS network only.

The reason is to prevent anyone from downloading resources directly to on premises servers. Because according to my understanding, when partner will be downloading data from my S3 to EC2 (for example) in their AWS account in the same region this data transfer would not be charged. The region could be limited by s3:LocationConstraint condition.

So my question is which policy condition should be used to limit by AWS network?

  • Smotrov
    hace 2 años

    Hmm... It seams like I can't use s3:LocationConstraint for GetObject. It is written in documentation: "Not all conditions make sense for all actions. For example, it makes sense to include an s3:LocationConstraint condition on a policy that grants the s3:CreateBucket Amazon S3 permission. However, it does not make sense to include this condition on a policy that grants the s3:GetObject permission."

    Is there any other way to limit readings from specific region?

Temas
AlmacenamientoSeguridad, identidad y cumplimiento
Etiquetas
Amazon Simple Storage ServicePolíticas de IAM
Idioma
English
profile picture
Smotrov
preguntada hace 2 años308 visualizaciones
3 Respuestas
1

You can try the aws:SourceVpc condition of IAM Policy document. Check the details from the documentation! :)

profile picture
EXPERTO
posquit0
respondido hace 2 años
  • Smotrov
    hace 2 años

    Good idea! Thank you however it requires that the in-VPC service on the other side. Non-VPC Lambda for example, will not be able to access the data. In the meanwhile, pretty good workaround! Thank you.

0

Hello

Yes you can do that, Please follow the AWS Support Blog https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

Thank You GK

profile picture
GK
respondido hace 2 años
  • Smotrov
    hace 2 años

    Thank you for your comment. Unfortunately either of suggested restrictions doesn't solves the issue.

    1. VPC endpoint service with our partners will cause per GB charge.
    2. Not all partners are ready to setup a NAT with static IP. Again because of per GB price.

    In our case we are talking about hundreds of terabytes per month so we are really sensitive in this questions.

    As it is written here https://aws.amazon.com/s3/pricing/

    You pay for all bandwidth into and out of Amazon S3, except for the following:

    ... Data transferred from an Amazon S3 bucket to any AWS service(s) within the same AWS Region as the S3 bucket (including to a different account in the same AWS Region) ....

    So my question is how to put exactly this statement into policy condition.

0

You could write a bucket policy that uses the SourceIP condition and limits it to EC2 CIDR address for your region.

curl https://ip-ranges.amazonaws.com/ip-ranges.json > ip-ranges.json
jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json
profile pictureAWS
EXPERTO
kentrad
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante