S3 Bucket Resource Policy

You will now configure the S3 Bucket Policy restricting use of the S3 bucket resource

figure17

Update the S3 Bucket policy in your lab (a template/example is provided below):

  1. Refer to the collected output values from your CloudFormation. Copy/paste the value of the “RestrictedS3BucketPermsURL” output into a browser to review the permissions on the S3 bucket. From the permissions tab, click on bucket policy.
  2. Refer to the collected output values from your CloudFormation. Copy/paste the value of the “RestrictedS3BucketName” output
  3. Replace the placeholder bucket name “examplerestrictedbucketname” in the template/example with the value of “RestrictedS3BucketName” collected from the CloudFormation outputs
  4. Refer to the collected output values from your CloudFormation. Copy/paste the value of the “S3VPCGatewayEndpoint” output
  5. Replace the placeholder “vpce-vpceid” string in the template/example with the value of “S3VPCGatewayEndpoint” collected from the CloudFormation outputs (format will be vpce-xxxxx)
  6. Having updated the example policy (below) with values for your specific resources, add the bucket policy to the S3 bucket. For additional instructions/clarifications to update the bucket policy see “How do I add an S3 bucket policy?”

S3 Resource (bucket) policy template / example

 {
   "Version": "2012-10-17",
   "Id": "vpc-endpoints-lab-s3-bucketpolicy",
   "Statement": [
     {
       "Sid": "Access-to-put-objects-via-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:PutObject",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::examplerestrictedbucketname",
                    "arn:aws:s3:::examplerestrictedbucketname/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpce": "vpce-vpceid"
         }
       }
     }   
   ]
}

The policy once enetered should look something similar to the following:

figure17a

Important Gateway Endpoint Considerations

  • For gateway endpoints only, you cannot limit the principal to a specific IAM role or user. We specify * to grant access to all IAM roles and users. For gateway endpoints only, if you specify the principal in the format “AWS”:“AWS-account-ID” or “AWS”:“arn:aws:iam::AWS-account-ID:root”, access is granted to the AWS account root user only, and not all IAM users and roles for the account.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html

  • You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range. VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint.
  • You can restrict access to a specific endpoint or to a specific VPC or specific vpc endpoint
  • Endpoints are currently supported for IPv4 traffic only