S3 Bucket Resource Policy
You will now configure the S3 Bucket Policy restricting use of the S3 bucket resource
Update the S3 Bucket policy in your lab (a template/example is provided below):
- Refer to the collected output values from your CloudFormation. Copy/paste the value of the “RestrictedS3BucketPermsURL” output into a browser to review the permissions on the S3 bucket. From the permissions tab, click on bucket policy.
- Refer to the collected output values from your CloudFormation. Copy/paste the value of the “RestrictedS3BucketName” output
- Replace the placeholder bucket name “examplerestrictedbucketname” in the template/example with the value of “RestrictedS3BucketName” collected from the CloudFormation outputs
- Refer to the collected output values from your CloudFormation. Copy/paste the value of the “S3VPCGatewayEndpoint” output
- Replace the placeholder “vpce-vpceid” string in the template/example with the value of “S3VPCGatewayEndpoint” collected from the CloudFormation outputs (format will be vpce-xxxxx)
- Having updated the example policy (below) with values for your specific resources, add the bucket policy to the S3 bucket. For additional instructions/clarifications to update the bucket policy see “How do I add an S3 bucket policy?”
S3 Resource (bucket) policy template / example
The policy once enetered should look something similar to the following:
Important Gateway Endpoint Considerations
- For gateway endpoints only, you cannot limit the principal to a specific IAM role or user. We specify * to grant access to all IAM roles and users. For gateway endpoints only, if you specify the principal in the format “AWS”:“AWS-account-ID” or “AWS”:“arn:aws:iam::AWS-account-ID:root”, access is granted to the AWS account root user only, and not all IAM users and roles for the account.
- You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range. VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint.
- You can restrict access to a specific endpoint or to a specific VPC or specific vpc endpoint
- Endpoints are currently supported for IPv4 traffic only