By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to whitelist the known IP's on S3 bucket policy so that only whitelisted IPs can download the Object

0

How to whitelist the known IP's on S3 bucket policy so that only whitelisted IPs can only download the Object.Rest of users must get access denied.

Am using this policy,am still whitelisted users are getting 403 error while trying to access the object URL stored in S3.Please assist here,

Here is policy which am using,{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": "", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::toch-poc-2/", "Condition": { "IpAddress": { "aws:SourceIp": [ "3.6.255.121", "43.204.223.244", "34.126.80.246", "34.142.191.139", "34.143.188.86", "49.249.215.66", "15.207.175.132" ] } } } ] }

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
Dhaval
asked 10 months ago441 views
5 Answers
0

Is all block public access turned off?
If this is not all turned off, access will fail even if allowed by the bucket policy.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

The IP address should be changed to something like "34.126.80.246/32".

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
  • Riku_Kobayashi EXPERT
    10 months ago

    The ARN of the S3 bucket listed in "Resource" should be something like "arn:aws:s3:::toch-poc-2/*" because GetObject needs permission to be in the bucket.

    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "Statement1", 
            "Effect": "Allow", 
            "Principal": "*", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::toch-poc-2/*", 
            "Condition": { 
                "IpAddress": { 
                    "aws:SourceIp": [ 
                        "3.6.255.121/32", 
                        "43.204.223.244/32", 
                        "34.126.80.246/32", 
                        "34.142.191.139/32", 
                        "34.143.188.86/32", 
                        "49.249.215.66/32", 
                        "15.207.175.132/32" 
                    ] 
                } 
            } 
        } 
    ] 
}
  • Dhaval
    10 months ago

    Yes.Its turned ON. Any modifications in policy needed ? stil facing the same error

  • Riku_Kobayashi EXPERT
    10 months ago

    Yes, please try to use the policy I described.

  • Gary Mclean EXPERT
    10 months ago

    Block Public does not need turning off when using A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp in the bucket policy

0

Yes.Am using the same policy as shared. Have enabled the ACL has well And Ticket the Public access box in the ACL with read and read option enabled. But still facing the same issue

Dhaval
answered 10 months ago
  • Riku_Kobayashi EXPERT
    10 months ago

    Bucket ACLs should be disabled. Also, have you deleted your browser cache? Is the IP address from which you are connecting correct?

0

Thanks this policy worked,but only challenge here which we are facing is with this IP "3.6.255.121/32", I even tried changing the subnet to 8 and 16.It did not work.

Any recommendations would be helpful

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": "", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::toch-poc-2/", "Condition": { "IpAddress": { "aws:SourceIp": [ "3.6.255.121/32", "43.204.223.244/32", "34.126.80.246/32", "34.142.191.139/32", "34.143.188.86/32", "49.249.215.66/32", "15.207.175.132/32", "10.190.3.0/24" ] } } } ] }

Dhaval
answered 10 months ago
  • Gary Mclean EXPERT
    10 months ago

    Are you sure that the ip address is correct? Policy passes for me

0

Your Bucket policy is wrong. You do NOT need to turn OFF block public access. Because the policy contains A set of Classless Inter-Domain Routings (CIDRs) aws:SourceIp

BLOCK PUBLIC isnt applicable because the Policy isnt classed as public because its locked down to sourceIP

Your also have to be aware of KMS. If your using AWS SSE its ok, if your objects are encrypted with KMS you will have to allow access to the KMS Key also.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": arn:aws:s3:::toch-poc-2/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": [
						"3.6.255.121/32",
						"43.204.223.244/32",
						"34.126.80.246/32",
						"34.142.191.139/32",
						"34.143.188.86/32",
						"49.249.215.66/32",
						"15.207.175.132/32"
					]
				}
			}
		}
	]
}
profile picture
EXPERT
Gary Mclean
answered 10 months ago
-1

Hi, did you allow S3 Public Access on the bucket ? If not, you will have to because it will block access and result in http 403 before your bucket policy is even used.

See https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content