AWS S3 Bucket Policy Whitelist

1
votes

I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:

Bucket Policy:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::xxxxxxx",
                "arn:aws:s3:::xxxxxxx/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "10.x.x.x/12"
                    ]
                }
            }
        }
    ]
}

Server IP:

10.x.x.x/32

Error:

ui,message,    amazon-ebs:     "msg": "Error downloading 
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\\temp\\xxx.zip Exception 
calling \"DownloadFile\" with \"2\" argument(s): \"The remote server 
returned an error: (403) Forbidden.\""
2
amazon-web-servicesamazon-s3whitelist
RFC1918: youtube.com/watch?v=2xbm7VfCs2Mjarmod

2 Answers

5
votes

Amazon S3 lives on the Internet.

Therefore, when communicating with S3, your system will be using a Public IP address.

However your policy only includes private IP addresses. That is why it is not working.

Your options are:

  • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
  • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
1
votes

aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.

If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).

If you are using an S3 VPC endpoint, you can't whitelist by IP:

you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

Also, there's this:

Note: It's a best practice not to use the aws:SourceIp condition key.

https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/