1

I am trying to create a Kinesis Firehose stream (on AWS) that write in a S3 bucket with a restricted bucket policy.

My bucket policy :

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "DenyAllExcept",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myrestrictedbucket/*",
                "arn:aws:s3:::myrestrictedbucket"
            ],
            "Condition": {
                "StringNotEqualsIfExists": {
                    "aws:SourceVpc": "vpc-1234567"
                },
                "NotIpAddressIfExists": {
                    "aws:SourceIp": [
                        "xx.xx.xx.xx/32",
                        "52.19.239.192/27"
                    ]
                }
            }
        }
    ]
}

Note : 52.19.239.192/27 are the IP addresses for EU (Ireland) (found in the documentation for accessing a Redshift cluster).

For now, it doesn't work and I have this error : Access was denied. Ensure that the trust policy for the provided IAM role allows Firehose to assume the role, and the access policy allows access to the S3 bucket.

If I disable my bucket policy, it works perfectly.

Does anyone know how to add a specific condition that would let Firehose write in my S3 bucket ?

Thanks a lot in advance, Damien

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Damien
  • 31
  • 1
  • 3
  • have you instead tried to limit the access to `"Principal": {"Service": "firehose.amazonaws.com"}` instead? – Andreas Oct 18 '16 at 20:15
  • The answer to https://stackoverflow.com/questions/36207399/s3-bucket-policy-to-allow-access-to-specific-users-and-restrict-all?rq=1 covers this scenario. – James Holmes Mar 21 '18 at 11:01

0 Answers0