By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I grant access to users within a region (us-west-2) to a public AWS S3 bucket?

0

I have a S3 bucket and I want to restrict access to only requests who are within the us-west-2 region. Since this is a public bucket not every request will be from an AWS user (ideally anonymous user with Python boto3 UNSIGNED configuration or s3fs anon=True). I tried to specify this with IP addresses but they change over time, so is there a way on how to do this (Python code or s3 bucket policy changes)?

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
Minh
asked 8 months ago269 views
3 Answers
0

To best of my knowledge, you'll need to have IP address ranges to restrict s3 bucket access for users outside AWS. Since you have mentioned so I assume, you'd have already tried using regional ip address ranges for us-west-2, here is the reference, how you can get ip address ranges and how to restrict via resource(bucket) policy. But for users outside AWS< you'll need to have IP address/ranges, otherwise bucket is public and open to all.

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
  • Minh
    8 months ago

    I know about how to set up the Bucket policy and restrict IAM access, but what confuses me are the IP ranges. One of the public IP address that I tested was 54.185.. which is in Oregon, hosted by AMZ itself, and should be covered in the us-west-2 region (I supposed?). However, it is not covered anywhere in the json file with CIDR format. Another one is 34.216.., which is also not covered... Note that I want to filter public IP addresses from computer user requests, not just AWS services requests.

    Also, do I suppose to copy-paste all the 500+ IP address ranges for us-west-2 in the file into the policy? What's the best practice here? I'm all new to this, so apologies.

0

Hi, You can modify your S3 bucket policy [1] that places conditions on the requester source IP, and use the advertised AWS IP ranges for us-west-2 region. Kindly refer to the link [2] for public IP's in us-west-2 region.

References: [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-3 [2] https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html

AWS
Vamsi Manthapuram
answered 8 months ago
  • Minh
    8 months ago

    I'm just going to copy paste my answer above since the answers are similar:

    I know about how to set up the Bucket policy and restrict IAM access, but what confuses me are the IP ranges. One of the public IP address that I tested was 54.185.. which is in Oregon, hosted by AMZ itself, and should be covered in the us-west-2 region (I supposed?). However, it is not covered anywhere in the json file with CIDR format. Another one is 34.216.., which is also not covered. I want to filter IP addresses from public user requests, not just those from AWS services .

    By the way, do I suppose to copy-paste all the 500+ IP address ranges for us-west-2 in the file into the policy? What's the best practice here? I'm all new to this, so apologies.

0

Is this an architecture where you could provide access to the bucket via VPC endpoints? You can then add the condition to limit to the these endpoints. And you could make the bucket private.

profile pictureAWS
EXPERT
kentrad
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content