By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 bucket policy to allow access through VPC endpoint and an IAM user only

0

I have a S3 bucket having sensitive data, i have a use case such that only a specific IAM user can put objects to the bucket and it is only accessible through a VPC endpoint. how can i achieve this?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceIAM Policies
Language
English
rePost-User-5383065
asked 2 years ago2267 views
5 Answers
0

Hey, Thanks for the answer. But i want to restrict access on S3, so there is an IAM user that uploads to the s3 bucket from internet and it has only put object rights. I want my s3 to be configured such that only the user can upload the s3 bucket and it can be accessed through vpc endpoint. All other access must be denied

rePost-User-5383065
answered 2 years ago
  • Soumith Avunoori
    2 years ago

    I believe creating a bucket policy to only allow the endpoint to access that you created or restrict any other VPC endpoints if you want to.

0

VPC endpoints for S3 are secured through VPC endpoint access policies, which allows you to set which S3 buckets the endpoints should and should not have access to. By default, any user or service within the VPC, using credentials from any AWS account, has access to any Amazon S3 resource.

Use these together with S3 bucket policies to further refine access control over your buckets and objects.

  1. Go to VPC and select Endpoints.
  2. Then select Create Endpoint and search for the S3 service. Select the VPC where you would want to register the endpoint.
    1. Choose which route tables will have the VPC endpoint entry
  4. Modify your endpoint access control policy if you must. The example below shows a policy that allows only GetObject and PutObject actions to an S3 bucket named my_bucket and the objects in it.
    1. Add any tags you like. Then select Create endpoint
  6. To further refine access control to your S3 bucket and objects, you can create bucket policies that restrict VPC endpoint or VPC access.

The following is an example of an Amazon S3 bucket policy that restricts access to examplebucket unless the origin is from the VPC endpoint vpce-1a2b3c4d. The aws:sourceVpce condition is used to specify the endpoint. bucket policy

If you have resources in your AWS VPC that are connecting to Amazon S3, and you don’t want them to go through the public internet or use the S3 bucket DNS, then you should make use of Amazon S3 VPC Endpoint. Be sure to follow the principle of Least Privilege by setting up Endpoint Policies and S3 Bucket Policies so that only the appropriate entities get access to your buckets and objects.

I hope this answer helps you.

Thanks

Soumith Avunoori
answered 2 years ago
0

Can you create an IAM user only on that endpoint that has access to that private bucket? Would that work? No other user would have access to it then.

jschwar313
answered 2 years ago
0

But if a user/role is created with S3FullAccess then, it will have access to the bucket. We want to avoid that and place restriction at bucket level. So need bucket policy to satisfy those two requirements

rePost-User-5383065
answered 2 years ago
0

no. you don't have to grant full access. Here's an article about granting access to a bucket. Hope this helps. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html

jschwar313
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content