Allow S3 Bucket access from either specific VPC or console

1
votes

I have some app configuration stored in a file in an S3 bucket (api keys). I have the S3 bucket configured to only allow access via a specific VPC endpoint, which ties the keys to specific environments, and prevents e.g. production keys being accidentally used in a staging or test environment.

However occasionally I need to amend these keys, and it's a pain. Currently the bucket policy prevents console access, so I have to remove the bucket policy, update the file, then replace the policy.

How can I allow access from the console, a specific VPC endpoint, and no where else?

Current policy, where I've tried and failed already:

{
    "Version": "2012-10-17",
    "Id": "Policy12345",
    "Statement": [
        {
            "Sid": "Principal-Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-keys-staging",
                "arn:aws:s3:::my-keys-staging/*"
            ]
        },
        {
            "Sid": "Access-to-specific-VPCE-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-keys-staging",
                "arn:aws:s3:::my-keys-staging/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-vpceid"
                }
            }
        }
    ]
}
1
amazon-web-servicesamazon-s3amazon-iam
Why do you have the Deny condition? Content in Amazon S3 is private by default, so the Deny is only required if you wish to override permissions granted by other means (eg given to IAM Users). As a result, you can't assign permissions to allow a particular user (eg you!) to access the bucket.John Rotenstein
To add to @JohnRotenstein comment, see docs.aws.amazon.com/IAM/latest/UserGuide/…, specifically "The distinction between a request being denied by default and an explicit deny in a policy is important. By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can't be overridden." You have specified an explicit deny, and it cannot be overridden.jarmod

1 Answers

7
votes

As mentioned in the comments, having an explicit Deny cannot be overridden. By including the Deny tied to a particular VPC, you cannot add any other Allow elements to counteract that Deny statement.

Option 1

One option is to change your "deny if not from VPC abc" statement to "allow if from VPC abc". This would allow you to add additional Allow statements to your policy to allow you to access the bucket from elsewhere.

However, there are 2 very important caveats that goes along with doing that:

  1. Any user with "generic" S3 access via IAM policies would have access to the bucket, and
  2. Any role/user from said VPC would be allowed into your bucket.

So by changing Deny to Allow, you will no longer have a VPC-restriction at the bucket level.

This may or may not be within your organization's security requirements.

Option 2

Instead, you can amend your existing Deny to add additional conditions which will work in an AND situation:

"Condition": {
  "StringNotEquals": {
    "aws:sourceVpce": "vpce-vpceid",
    "aws:username": "your-username"
  }
}

This type of condition will deny the request if:

  1. The request is not coming from your magic VPC, AND
  2. The request is not coming from YOUR username

So you should be able to maintain the restriction of limiting requests to your VPC with the exception that your user sign-in would be allowed access to the bucket from anywhere.

Note the security hole you are opening up by doing this. You should ensure you restrict the username to one that (a) does not have any access keys assigned, and (b) has MFA enabled.