S3 policy allow Source VPC or IP

Question

I began with a bucket policy based on https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/ allowing one internet IP address, then needed to also allow access from a VPC.

This policy behaves as expected, but is not good for readability:

```
{
	"Version": "2012-10-17",
	"Id": "policy-s3",
	"Statement": [
		{
			"Sid": "1",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::s3bucketname",
				"arn:aws:s3:::s3bucketname/*"
			],
			"Condition": {
				"StringNotEqualsIfExists": {
					"aws:sourceVpc": "vpc-1234"
				},
				"NotIpAddressIfExists": {
					"aws:SourceIp": "101.1.1.1/32"
				}
			}
		}
	]
}

```
I tried to change to separate allow statements for the IP and VPC, expecting an implicit deny to block any other sources, but the policy below allows any internet IP access.

Access Analyser shows "Condition: Source IP: 101.1.1.1/32" when this policy is applied, but I was expecting "Access Analyzer does not have access to the metadata it needs to analyze the resource" response which is what I get from the first policy.

Can someone help me understand why the policy below doesn't restrict access to the IP or the VPC?

Edit: I think though the IAM Permissions policy which grants S3 actions to each bucket resource with no network condition, the first policy is working because it is a deny. Is there a better way I can restrict access to public IP or VPC without using the two "not if exists" conditions?
```
{
    "Version": "2012-10-17",
    "Id": "policy-s3",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::s3bucketname",
                "arn:aws:s3:::s3bucketname/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "101.1.1.1/32"
                }
            }
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::s3bucketname",
                "arn:aws:s3:::s3bucketname/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-1234"
                }
            }
        }
    ]
}
```

Answer

For the second policy, there would be an implicit deny, but I'm pretty sure the issue is it's merged with the IAM Permissions Policy I use to grant our IAM user access to the bucket, so once the allow there is matched it does not reach the deny when no IP or VPC is allowed in the bucket policy.

Putting the IP and VPC rules into the IAM Permissions Policy would make it very messy, so I think a deny for networks in the bucket policy is the only option.

Having two "not if exists" for different context keys in the one condition seems pretty bad for readability to me, but I believe the logic is always an implict and when different contexts are in a condition. Is there any way I could reformat this condition or the policy to make it easier for any of my colleagues who have to work on it later?

Answer

For the second policy you mentioned, there is allow access for a particular IP and VPC but there isn't a deny for the other IPs. Could that be the issue?

I think you may already know about this link. https://awspolicygen.s3.amazonaws.com/policygen.html.  Experiment with this to see if you can restrict access without giving deny.

I think deny is probably the best way to restrict access because the condition matches all ips except the IP you specified and hence that ip is allowed to have access.

I have researched a bit on this. Check if this link helps. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-policies-s3. Please ignore if you already know this. Hope it helps.

S3 policy allow Source VPC or IP

Relevant content