0

Here is the bucket policy that I implemented in my bucket.

    {
    "Id": "Policy1535460101139",
    "Version": "2012-10-17",
    "Statement": [
      {
       "Sid": "Stmt1535460099601",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": "arn:aws:s3:::bucketname",
       "Condition": {
       "StringNotEquals": {
          "aws:SourceVpc": "vpc-id"
        }
      },
      "Principal": "*"
    }
  ]
}

Just after saving this bucket policy I'm unable to list or do anything with my bucket from console(I have s3 full access) with everything displaying access denied. Hence when I tried to copy a file from one of the ec2 instances in the VPC the copy was successfull but I was unable to list the objects in the bucket. I get an access denied error msg.(The ec2 instance has a role with full permission to the bucket). Here is the Role attached to the EC2 instance.

    {
     "Version": "2012-10-17",
     "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucketname/*"
      }
    ]
  }

What I want to know is whether this weird behaviour is a cause of my bucket policy or it may be something else. If yes any tips on how can I change my bucket policy now? Moreover here is screenshot from my console. enter image description here

vishal
  • 1,646
  • 5
  • 28
  • 56

2 Answers2

1

Yes, it is 100% due to your policy.

The policy is saying:

  • "Effect": "Deny", -- Deny access
  • "Principal": "*" -- For everyone
  • "Resource": "arn:aws:s3:::bucketname" -- To this bucket
  • "StringNotEquals": {"aws:SourceVpc": "vpc-id" -- If the request is not coming from this VPC

As to how to fix it, it depends on your requirements, which you did not state in your question.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Just want know if I can now change the bucket policy from one of the instances inside the VPC using boto3 or cli? – vishal Aug 29 '18 at 05:36
  • Oh, you mean you can't remove that policy because the policy is stopping you from removing it, eh? That's interesting! You could use your Root credentials to remove it, because IAM policies don't apply to the Root login. Or, you can change things as long as you are coming from the stated VPC, it would seem. – John Rotenstein Aug 29 '18 at 06:08
  • I'm unable to change it from one of the instances inside VPC too. Is there any other way other than using root account, and moreover why is it not allowing instance from inside vpc too? – vishal Aug 29 '18 at 07:48
0

The reason I was not able to access the bucket even from a instance inside the vpc was because I didn't have an VPC to S3 endpoint attached to the route table of the subnet the instance belonged to. The word "aws:SourceVpc" is used to allow multiple endpoint connections from the same VPC as mentioned in the documents contrary to what I thought i.e it will allow all request from the mentioned VPC. So the final solution for this question is you can remove the bucket poilcy from an instance present inside the mentioned VPC provided it belongs to a subnet that has a VPC to S3 endpoint attached to it.

vishal
  • 1,646
  • 5
  • 28
  • 56