Secure access to S3 buckets outside an AWS Organization from VPCs
0
What is a good way to centrally secure access to s3 buckets in multi account setup and restrict people to access access buckets outside the Organization from inside VPCs?
Language
English
asked a year ago843 views
1 Answer
- Newest
- Most votes
- Most comments
2
VPC Gateway endpoint for S3 along with VPC endpoint policy is one of way to achieve the requirement of restricting access to buckets outside the Organization. Sample Policy can look like
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3AccessOutsideMyOrg",
"Effect": "Deny",
"Principal": "",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::",
"Condition": {
"StringNotEquals": {
"aws:ResourceOrgID": "xxxxxxx"
}
}
}
]
}
answered a year ago
Relevant content
- asked a year ago
- asked 3 years ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
Note, however, that a VPC is a regional construct, and so is a VPC endpoint. Only the S3 buckets that reside in the local region will get routed to the gateway endpoint. Accessing a bucket in a different region will normally follow the default route to the internet and never be affected by the VPC endpoint policy.
Also, the "StringNotEquals" operator you used only matches for buckets whose owning account is a member of an AWS Organizations org. The policy won't block access to buckets owned by typical free tier and other standalone accounts. For Deny statements, you should normally use the ...IfExists variant of the comparison operator, StringEqualsIfExists in this case, which will cause the condition to evaluate to true (i.e., the Deny effect to be applied) when the condition key being evaluated is not present in the request context.