1

I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message.

Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well?

My assumption is that it is present in the request context as otherwise policy statement would have failed such that the statement's "Effect" does not apply because there is no "Ifexists" added to StringNotEquals - Asking this question as I could not find this information in AWS Documentation. Even after adding "Ifexists" to StringNotEquals, results are same - can someone confirm?

{
    "Version": "2012-10-17",
    "Id": "Policy1589385141624",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::abhxy12bst3",
                "arn:aws:s3:::abhxy12bst3/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-0xy915sdfedb5667"
                }
            }
        }
    ]
}
Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23
  • 1
    That is a tricky question as you are asking for something that might be indeed handled somewhere internally in the S3 bucket policy evaluation logic and not being passed around in request context. I think only AWS officials will be able to answer that questions correctly as it doesn't seam there is any documentation out there on this topic. – Martin Löper May 16 '20 at 19:26
  • 1
    Thank you very much Martin Löper - I appreciate that you understood my question :-) - Yes, I too agree to what you said - Like I mentioned in comment below, I think I should stop assuming that whatever condition key that is present in request Context can only be used - seems, things that can be digged out (but not present in the request) can also be used as Condition keys. – Abhishek Palakkal Kaliyath May 16 '20 at 19:27

3 Answers3

2

This will apply to all requests interacting with S3. The console just provides a GUI on top of the AWS API.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Thanks ! & that is why it is not required to add "Ifexists" to condition check? Also, wanted to ask if SourceVpc is visible in all S3 events logged in Cloudtrail? I saw SourceVpce (endpoint) in some S3 request contexts but could not find SourceVpc - your thoughts. – Abhishek Palakkal Kaliyath May 16 '20 at 16:33
  • 1
    It'll always be SourceVpce :) – Chris Williams May 16 '20 at 16:34
  • Ok - but my original question was about sourceVpc being present in the request context & not needing "Ifexists" - So, is sourceVpc condition hidden in the request context? – Abhishek Palakkal Kaliyath May 16 '20 at 16:38
  • 1
    sourceVPC should not be hidden in the request context as long as it uses the VPCE – Chris Williams May 16 '20 at 16:44
  • Thanks for providing insights but I am still not getting it - you said "It'll always be SourceVpce" - So, do you mean "SourceVpc" will not be available in request context. Or alternately, are you saying that both SourceVpce and SourceVpc will be present in the request context? – Abhishek Palakkal Kaliyath May 16 '20 at 16:47
  • In Cloudtrail event, I can see only "vpcEndpointId": "vpce-f4sdfc59d" but nothing that says "vpc" – Abhishek Palakkal Kaliyath May 16 '20 at 16:52
  • 1
    Thats because CloudTrail is only seeing the context of it going through the VPCE, the S3 bucket will indeed have access to VPC. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html – Chris Williams May 16 '20 at 16:55
  • You mean to say AWS will figure out the VPC id from VPCe - right? Ok - I think I should stop assuming that whatever condition key that is present in request Context can only be used - seems, things that can be digged out (but not present in the request) can also be used as Condition keys. – Abhishek Palakkal Kaliyath May 16 '20 at 18:56
2

Yes, you are right. I tested the following bucket policy, the operations from the AWS S3 console are denied.

{
    "Version": "2012-10-17",
    "Id": "Policy1589385141624",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::abhxy12bst3",
                "arn:aws:s3:::abhxy12bst3/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:sourceVpc": "vpc-30*"
                }
            }
        }
    ]
}

It means there is definitely some vpc id present in the request. It might be same for each account or it could be different.

jellycsc
  • 10,904
  • 2
  • 15
  • 32
  • Thank you jellycsc - true, all requests to S3 seems to have vpcEndpointId (irrespective of if the request was made from console or a specific VPC) & then probably AWS figures out the associated VPC from vpcEndpointid - Thats all hidden somwhere; I thought the request context was pretty transparent - seems not :-) – Abhishek Palakkal Kaliyath May 17 '20 at 03:27
0

for the console you need to allow your sourceIP to access S3, when you are accessing resources through the console your authorization request contains the public IP you are using. See Lab 2 on: https://catalog.us-east-1.prod.workshops.aws/workshops/a11f0f32-cc23-4c95-b243-43c53bdc7177/en-US/core-labs/network-perimeter-resources

laurita
  • 1