Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Limit S3 Bucket with Vpc Endpoint while also Enable AWS Management Console
I want to limit S3 operation of a certain S3 bucket only through the VPC endpoints, so I changed the S3 bucket policy to the way like
{
"Version": "2012-10-17",
"Id": "Access-to-bucket-using-specific-endpoint",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
While after submitting this policy, I found myself not able to manage the S3 bucket attribute via AWS Management Console. Every time I click on the bucket, the console just displays errors of "Insufficient permissions to ..." , even if I have enough IAM previlege to perform that operation. Well, it makes perfect sense, but what if I still want to manage the bucket via AWS Management Console, how should the bucket policy to be set?
- Newest
- Most votes
- Most comments
Certain IAM users can operate from the console by setting the following bucket policy.
EC2, etc., access should be denied unless it is through a VPC endpoint.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::S3 bucket Name",
"arn:aws:s3:::S3 bucket Name/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "VPC Endpoint ID",
"aws:PrincipalArn": "IAM User ARN"
}
}
}
]
}
