By using AWS re:Post, you agree to the Terms of Use

S3 bucket policy to allow access through VPC endpoint and an IAM user only

0

I have a S3 bucket having sensitive data, i have a use case such that only a specific IAM user can put objects to the bucket and it is only accessible through a VPC endpoint. how can i achieve this?

5 Answers
0

Hey, Thanks for the answer. But i want to restrict access on S3, so there is an IAM user that uploads to the s3 bucket from internet and it has only put object rights. I want my s3 to be configured such that only the user can upload the s3 bucket and it can be accessed through vpc endpoint. All other access must be denied

answered 2 months ago
  • I believe creating a bucket policy to only allow the endpoint to access that you created or restrict any other VPC endpoints if you want to.

0

VPC endpoints for S3 are secured through VPC endpoint access policies, which allows you to set which S3 buckets the endpoints should and should not have access to. By default, any user or service within the VPC, using credentials from any AWS account, has access to any Amazon S3 resource.

Use these together with S3 bucket policies to further refine access control over your buckets and objects.

  1. Go to VPC and select Endpoints.
  2. Then select Create Endpoint and search for the S3 service. Select the VPC where you would want to register the endpoint.
    1. Choose which route tables will have the VPC endpoint entry
  3. Modify your endpoint access control policy if you must. The example below shows a policy that allows only GetObject and PutObject actions to an S3 bucket named my_bucket and the objects in it.
    1. Add any tags you like. Then select Create endpoint
  4. To further refine access control to your S3 bucket and objects, you can create bucket policies that restrict VPC endpoint or VPC access.

The following is an example of an Amazon S3 bucket policy that restricts access to examplebucket unless the origin is from the VPC endpoint vpce-1a2b3c4d. The aws:sourceVpce condition is used to specify the endpoint. bucket policy

If you have resources in your AWS VPC that are connecting to Amazon S3, and you don’t want them to go through the public internet or use the S3 bucket DNS, then you should make use of Amazon S3 VPC Endpoint. Be sure to follow the principle of Least Privilege by setting up Endpoint Policies and S3 Bucket Policies so that only the appropriate entities get access to your buckets and objects.

I hope this answer helps you.

Thanks

answered 2 months ago
0

Can you create an IAM user only on that endpoint that has access to that private bucket? Would that work? No other user would have access to it then.

answered 2 months ago
0

But if a user/role is created with S3FullAccess then, it will have access to the bucket. We want to avoid that and place restriction at bucket level. So need bucket policy to satisfy those two requirements

answered 2 months ago
0

no. you don't have to grant full access. Here's an article about granting access to a bucket. Hope this helps. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions