By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Condition to limit S3 access from AWS network only

0

I need to provide an assess to my S3 to partners companies which has their own AWS accounts

I'd like to limit access to my S3 bucket by AWS network only.

The reason is to prevent anyone from downloading resources directly to on premises servers. Because according to my understanding, when partner will be downloading data from my S3 to EC2 (for example) in their AWS account in the same region this data transfer would not be charged. The region could be limited by s3:LocationConstraint condition.

So my question is which policy condition should be used to limit by AWS network?

  • Smotrov
    2 years ago

    Hmm... It seams like I can't use s3:LocationConstraint for GetObject. It is written in documentation: "Not all conditions make sense for all actions. For example, it makes sense to include an s3:LocationConstraint condition on a policy that grants the s3:CreateBucket Amazon S3 permission. However, it does not make sense to include this condition on a policy that grants the s3:GetObject permission."

    Is there any other way to limit readings from specific region?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceIAM Policies
Language
English
profile picture
Smotrov
asked 2 years ago304 views
3 Answers
1

You can try the aws:SourceVpc condition of IAM Policy document. Check the details from the documentation! :)

profile picture
EXPERT
posquit0
answered 2 years ago
  • Smotrov
    2 years ago

    Good idea! Thank you however it requires that the in-VPC service on the other side. Non-VPC Lambda for example, will not be able to access the data. In the meanwhile, pretty good workaround! Thank you.

0

Hello

Yes you can do that, Please follow the AWS Support Blog https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

Thank You GK

profile picture
GK
answered 2 years ago
  • Smotrov
    2 years ago

    Thank you for your comment. Unfortunately either of suggested restrictions doesn't solves the issue.

    1. VPC endpoint service with our partners will cause per GB charge.
    2. Not all partners are ready to setup a NAT with static IP. Again because of per GB price.

    In our case we are talking about hundreds of terabytes per month so we are really sensitive in this questions.

    As it is written here https://aws.amazon.com/s3/pricing/

    You pay for all bandwidth into and out of Amazon S3, except for the following:

    ... Data transferred from an Amazon S3 bucket to any AWS service(s) within the same AWS Region as the S3 bucket (including to a different account in the same AWS Region) ....

    So my question is how to put exactly this statement into policy condition.

0

You could write a bucket policy that uses the SourceIP condition and limits it to EC2 CIDR address for your region.

curl https://ip-ranges.amazonaws.com/ip-ranges.json > ip-ranges.json
jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json
profile pictureAWS
EXPERT
kentrad
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content