By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Website endpoint 301 redirect ignoring bucket policy

0

This bucket permission grants permission for GET requests from a specific source IP.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "BUCKETNAME/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "8.8.8.8"
                }
            }
        }
    ]
}

If the bucket is set up as:

  • Static website hosting: Enabled
  • Hosting type: Host a static website

Then, if a request originates from an IP other than the one specified:

However, if the hosting type is changed to Redirect requests for an object, then the request from unauthorized IPs results in:

It does not matter where the redirect points to, I used google.com on my testing. If it is set to redirect to a domain name other than the bucket URL, the website endpoint ignores the fact that the policy does not grant GET permission and responds with a 301 redirect.

curl -v http://BUCKETNAME.s3-website-us-east-1.amazonaws.com
*   Trying 52.217.100.51:80...
* Connected to BUCKETNAME.s3-website-us-east-1.amazonaws.com (52.217.100.51) port 80 (#0)
> GET / HTTP/1.1
> Host: BUCKETNAME.s3-website-us-east-1.amazonaws.com
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< x-amz-id-2: sqsvHiKbD... 
< x-amz-request-id: TNTFX...
< Date: Thu, 20 Apr 2023 19:59:25 GMT
< Location: http://google.com/
< Server: AmazonS3
< Content-Length: 0
<
* Connection #0 to host BUCKETNAME.s3-website-us-east-1.amazonaws.com left intact
*

The question is whether the policy should also block GET requests from unauthorized IPs on the website endpoint, as it currently only blocks requests to the API endpoint.

Topics
StorageCompute
Tags
Amazon Simple Storage ServiceWebsite Hosting
Language
English
VFS
asked a year ago836 views
1 Answer
3
Accepted Answer

Where does the 301 redirect to? Does it go to https://BUCKETNAME.s3.us-east-1.amazonaws.com/index.html? If so, then the end result will be 403.

Update: If you're redirecting to an external website then the policy is still working as designed - it's not retrieving an object at that point, it's performing a redirect so the logic that says "you can't perform a GetObject call" isn't being executed yet.

Bigger question: What's the end result you're trying to get here? If you're redirecting within the bucket then things will work as expected: The first call will redirect to an object to which access will then be denied. Or is there another outcome expected?

Update the second: The API and website endpoints are definitely different - in this case (a GET request for an object that doesn't exist) the API endpoint behaves as expected because the GET request reaches the storage layer and is then evaluated against the policy before it is allowed to "see" if the object exists. The website endpoint is different because it is following web server semantics; the redirect takes effect first - and in this case it is for an object that doesn't exist anyway.

I'm not as familiar with Cloudflare as I am with AWS; but if you were doing this with CloudFront I'd do the redirect from the www site within the CDN - that way you don't have to have the second bucket and it saves you time and cost on the requests to it.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago
  • VFS
    a year ago

    It makes no difference what I set as the redirect address. I updated my question including my test setting it to google.com.

  • VFS
    a year ago

    Thank you for your response! My situation involves two AWS S3 buckets - one hosts a static website while the other redirects www to the apex domain. A non-AWS proxy, in this case Cloudflare (or, alternatively, a Traefik reverse proxy), is set up to connect to these buckets. My objective is to allow visitors to access the buckets only through the proxy, and disallow any direct request to the bucket. To this end, I have included the proxy's IP addresses as an IpAddress condition.

    As a newcomer to AWS and cloud computing, I find the GetObject permission documentation somewhat ambiguous regarding how it applies to both the API and WEBSITE endpoints. Based on what I understand, the permission covers all get operations on the bucket, and even if the server redirects instead of providing a file, direct requests should be blocked. However, I'm still unsure about how to limit access to the WEBSITE endpoint. Can you offer guidance on this topic?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content