By using AWS re:Post, you agree to the Terms of Use

S3 Bucket Security

0

Hi

Total noob when it comes to AWS.

I am looking to shift my veeam backups to capacity tier which will be an S3 bucket.

The S3 bucket will have all public access blocked, use versioning and object lock.

My question is really around how best to secure the bucket in terms of IAM/Bucket Policy/ACL

We don't have a VPC setup at present as we use Azure for cloud workloads and email.

Basically what I want to do is to restrict access to this S3 bucket to a particular user and lock it down to a single public IP address. Both conditions must be met to get access to the bucket.

For a noob, the number of options when creating the policy is a bit confusing.

I have used the policy generator but it throws an error when I try add the principal (IAM user)

Any help greatly appreciated.

Thanks

P

4 Answers
1

Good day.

To limit access to specific IAM principals, here is our public guide: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

To limit access to specific IP addresses, here is out public guide: https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

I'm hoping this is able to help you.

Truly,

Jason H.

answered 8 months ago
0

See this page for recommended access controls: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-best-practices.html

In short, disable ACLs on the bucket and govern access via IAM. More details on how to do this here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

answered 8 months ago
0

Hi Guys,

Sorry for the slow response and thanks for the responses I did receive.

This is kind of what i want to do but the policy gives out about the principal.

I want access to be allowed for a particular group AND only from a particular IP4 block.

{ "Id": "Policy1639567223578", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt16395456545451", "Action": "s3:", "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/" ], "Principal": { "AWS": [ "arn:aws:iam::awsaccount:group/backup_admins" ] } }, { "Sid": "Stmt1631234560507", "Action": "s3:", "Effect": "Deny", "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/" ], "Condition": { "NotIpAddress": { "aws:SourceIp": "ip4subnet" } }, "Principal": "*" } ] }

This policy was built using the policy generator, when i add it to the bucket, I get this error:

Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element.

Cheers

answered 8 months ago
0

You cannot specify an AWS User Group as a principal in an IAM policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

You could specify one or more User ARNs. Or, if you want to keep using a Group you can grant access to the bucket from a policy associated with the Group itself:

IAM Group Policy (this can be an inline policy or a managed policy attached to the Group):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Action": [
      "s3:ListBucket",
      "s3:GetObject*",
      "s3:GetBucket*",
      "s3:List*",
      "s3:Abort*",
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:s3:::bucket1", 
      "arn:aws:s3:::bucket1/*"
    ],
  }]
}

Note: the above is not tested and be sure to limit the actions to least privileged.

And keep the Bucket Policy to restrict access from a specific IP (note: this will break access to the bucket from the AWS Console):

  "Version": "2012-10-17",
  "Statement": [{
    "Action": "s3:*",
    "Effect": "Deny",
    "Resource": [
      "arn:aws:s3:::bucket1", 
      "arn:aws:s3:::bucket1/*"
    ],
    "Condition": {
      "NotIpAddress": {
        "aws:SourceIp": "x.x.x.x"
      }
    },
    "Principal": "*"
  }]
}
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions