I'm restricting bucket access to my VPC Endpoints, I have a bucket say test-bucket which is in Dev account, I have added the below policy to enable the access to be restricted to only the VPC Endpoints:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access From Dev, QA Account",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::x:root",
"arn:aws:iam::y:root",
]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-1234",
"vpce-1235"
]
}
}
}
All the instances from the Dev account are able to access the object via wget and AWS CLI, the problem arises when I access from the instances from the QA account I'm able to wget the object but not able to access via AWS CLI, getting the below error:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Though I have added the VPC Endpoint with respect to the QA account in the S3 bucket policy.
If I remove the action to deny and remove VPC Endpoint rules from the bucket policy, then I'm able to access from QA account instances as there are IAM roles defined for it. My question is when I restrict the access via VPC Endpoint why I'm not able to access from QA account instances?
The accounts are from the same region.
vpce-1235, then theConditionis false due toStringNotEquals? Therefore the policy does not even apply. Am I correct? So what roles do the QA account have to access the bucket? – Marcin