Hey, Thanks for the answer. But i want to restrict access on S3, so there is an IAM user that uploads to the s3 bucket from internet and it has only put object rights. I want my s3 to be configured such that only the user can upload the s3 bucket and it can be accessed through vpc endpoint. All other access must be denied
VPC endpoints for S3 are secured through VPC endpoint access policies, which allows you to set which S3 buckets the endpoints should and should not have access to. By default, any user or service within the VPC, using credentials from any AWS account, has access to any Amazon S3 resource.
Use these together with S3 bucket policies to further refine access control over your buckets and objects.
- Go to VPC and select Endpoints.
- Then select Create Endpoint and search for the S3 service. Select the VPC where you would want to register the endpoint.
- Choose which route tables will have the VPC endpoint entry
- Modify your endpoint access control policy if you must. The example below shows a policy that allows only GetObject and PutObject actions to an S3 bucket named my_bucket and the objects in it.
- Add any tags you like. Then select Create endpoint
- To further refine access control to your S3 bucket and objects, you can create bucket policies that restrict VPC endpoint or VPC access.
The following is an example of an Amazon S3 bucket policy that restricts access to examplebucket unless the origin is from the VPC endpoint vpce-1a2b3c4d. The aws:sourceVpce condition is used to specify the endpoint.
If you have resources in your AWS VPC that are connecting to Amazon S3, and you don’t want them to go through the public internet or use the S3 bucket DNS, then you should make use of Amazon S3 VPC Endpoint. Be sure to follow the principle of Least Privilege by setting up Endpoint Policies and S3 Bucket Policies so that only the appropriate entities get access to your buckets and objects.
I hope this answer helps you.
Can you create an IAM user only on that endpoint that has access to that private bucket? Would that work? No other user would have access to it then.
But if a user/role is created with S3FullAccess then, it will have access to the bucket. We want to avoid that and place restriction at bucket level. So need bucket policy to satisfy those two requirements
no. you don't have to grant full access. Here's an article about granting access to a bucket. Hope this helps. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html
How do I restrict access to an s3 bucket behind a transit gateway?asked 7 months ago
Access S3 object via cloudfront as a specific IAM userAccepted Answerasked 10 months ago
Is it possible to use a private S3 bucket for an OIDC provider?asked 20 days ago
How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?Accepted Answerasked 2 years ago
Restrict access to s3 bucketAccepted Answerasked a month ago
Access bucket s3 from a role on another accountasked a year ago
S3 bucket policy to allow access through VPC endpoint and an IAM user onlyasked 2 months ago
S3 permissions STS assume role bucket to bucket copyAccepted Answerasked 5 years ago
Root user cannot change S3 bucket policyasked a year ago
How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?Accepted Answerasked 9 months ago