How to block internet access for S3 buckets?

0

I have many ECS instances distributed in different vpcs, according to https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html, I can restrict the access source of bucket by using sourceVPC condition. However, this brings some problems. One is that the bucket policy needs to be modified when adding a new VPC, and the other is that my bucket cannot be accessed through the AWS Console/other AWS Services. My goal is to want to prevent internet access to objects in the bucket, but based on Amazon S3 documentation I didn't find a proper solution.

asked 2 years ago672 views
2 Answers
1

Could specify the ecs-task role in the bucket policy as the only allowed principle and deny all others. Then in the trust policy of the ecs-task role only allow the ecs-tasks service to assume the role. See: How to Restrict Amazon S3 Bucket Access to a Specific IAM Role.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
0

The short answer is: Use a bucket policy. But if you could expand the question and talk to what sort of access (and from where - in terms of networking) you'd like to have that would make it possible to provide a more relevant answer.

profile pictureAWS
EXPERT
answered 2 years ago
  • I have many ECS instances distributed in different vpcs, according to https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html, I can restrict the access source of bucket by using sourceVPC condition. However, this brings some problems. One is that the bucket policy needs to be modified when adding a new VPC, and the other is that my bucket cannot be accessed through the AWS Console/other AWS Services. My goal is to want to prevent internet access to objects in the bucket, but based on Amazon S3 documentation I didn't find a proper solution.

  • You have conflicting goals then: Because the AWS console is only accessible via the Internet and other AWS services that use that bucket may not be VPC-based. And if you choose to restrict access to specific VPCs then you will need to update the bucket policy as you add more VPCs. You might consider an automated deployment process that creates the VPCs and updates the bucket policy at the same time. The other answer from kentrad is probably the better way to go here because you can choose "who" is accessing the bucket rather then restricting the "where from".

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions