How to restrict s3 access to specific aws vpc endpoint iot credentials

Hello,

please look at below AWS Document it will be helpful for you & resolve the issue.

you're accessing the S3 bucket from within the VPC that uses the specified VPC endpoint (vpce-vpcendpointforiotcredential)

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#:~:text=You%20can%20create%20a%20bucket%20policy%20that%20restricts,Amazon%20S3%20buckets%20for%20all%20of%20your%20endpoints.

https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

Hello,

To restrict S3 access to a specific VPC endpoint for IoT credentials and resolve access issues, follow these steps:

Bucket Policy Setup Ensure your S3 bucket policy correctly restricts access to the specified VPC endpoint while denying other sources:

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPCE-only",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "vpce-1234567890abcdef0"
        }
      }
    }
  ]
}

Steps to Access and Modify the Bucket Policy

1.Ensure Access via the Correct VPC Endpoint:

Verify your instance is within the VPC and using the specified VPC endpoint (vpce-1234567890abcdef0).

2.Modify or Remove the Bucket Policy using AWS CLI:

Delete the Restrictive Policy if you're locked out:

aws s3api delete-bucket-policy --bucket DOC-EXAMPLE-BUCKET2

Update the Policy with less restrictive permissions if needed:

aws s3api put-bucket-policy --bucket DOC-EXAMPLE-BUCKET2 --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllActions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
      ]
    }
  ]
}'

If You Are Locked Out

1.Access AWS CLI from the Correct VPC Endpoint: Make sure your CLI environment is within the specified VPC endpoint to have the necessary access.

2.Use the AWS Management Console: Navigate to the S3 bucket policy section and attempt to update the policy directly.

By following these steps, you can restrict S3 access to a specific VPC endpoint for IoT credentials and resolve access issues efficiently. i hope this is helpful for you, thank you.

Steps to Access the S3 Bucket

Access S3 from the Correct VPC Endpoint:

Ensure that you're accessing the S3 bucket from within the VPC that uses the specified VPC endpoint (vpce-vpcendpointforiotcredential).

Assume a Role with Necessary Permissions:

If you have permissions to assume a role with full access to S3, you can use that role to modify the bucket policy.

Modify the Bucket Policy Using AWS CLI

If you can access AWS CLI from an environment within the specified VPC endpoint, you can modify or delete the bucket policy. Here's how:

Verify Your VPC Endpoint:

Make sure you are using the correct VPC endpoint by checking your instance’s VPC configuration.

Remove or Adjust the Restrictive Bucket Policy:

You can delete the current bucket policy to remove the restrictions temporarily.

aws s3api delete-bucket-policy --bucket DOC-EXAMPLE-BUCKET2


If you want to update the policy instead, you can do so by applying a less restrictive policy:

aws s3api put-bucket-policy --bucket DOC-EXAMPLE-BUCKET2 --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllActions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
      ]
    }
  ]
}'

Alternative Solutions

If you cannot access the AWS CLI from the specified VPC endpoint or need another approach:

AWS Management Console:

Ensure you are connected to the correct VPC endpoint.

Navigate to the S3 bucket policy section and attempt to update the bucket policy through the AWS Management Console.

IAM Role with S3 Full Access:

If you can create a new IAM role with full access to S3, assume that role, and then update the bucket policy.

Contact AWS Support

If you are still unable to access the bucket:

Open a Support Case:

Use the AWS Support Center to open a support case explaining the issue.

Since you mentioned having difficulty opening support cases, ensure that the IAM user or role you are using has the support:* permissions to open cases.

AWS Billing and Account Support:

Contact AWS support directly via phone if you’re unable to create a case online. Provide them with the details of your issue.

North America: 1-888-280-4331

International: Find the number for your country here.

Hello,

When applying the Amazon S3 bucket policies for VPC endpoints described in this section, you might block your access to the bucket unintentionally. Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket.

For information about how to fix this issue, follow this article https://repost.aws/knowledge-center/change-vpc-endpoint-s3-bucket-policy