Even though you make it S3 bucket is private, if someone
knows the access key, he can access S3
bucket form anywhere using access key
If you want to restrict access to only to corporate network
is possible in two ways
1.
Allow access to specific VPC end point, So that
it will allow to access bucket once you part of specific VPC
2.
Allow access to specific IP Address
The above options will give
addition level of security.
Allowing access to specific
VPC end point
To write S3 policy you use policy editor or
Notepad.
Step 1: Change the relevant places
in the following XML and copy
{
"Version":
"2012-10-17",
"Id": "<<policy Name>>",
"Statement": [
{
"Sid": "<<Any
id>>",
"Effect":
"Deny",
"Principal":
"*",
"Action":
"s3:*",
"Resource": [
"arn:aws:s3:::<<bucket
Name>>",
"arn:aws:s3:::<<bucket
Name>>/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce":
"<<VPC ID>>"
}
}
}
]
}
Step 2: Go to the S3 bucket in which you want to restrict
Step 3: Go to the permission tab
Step 4: Past the copied policy in “Bucket policy” Section
and save
Allowing access to specific IPS
{
"Version": "2012-10-17",
"Id":
"<<Policy Id>>",
"Statement": [
{
"Sid": "<<Policy ID>>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<<Bucket Name>>",
"arn:aws:s3:::<<Bucket Name>>",/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
<<multiple Ips with comma separate>>
]
}
}
}
]
}
Note: if anything goes wrong you will not have access
to bucket, you can remove policy only via root user access. Please careful
before you do the change
No comments:
Post a Comment