0

I am creating an Electron.js app and I am using S3 to host the new releases of my app. I can't leave the S3 bucket open to the public and need to limit it only to the users in the company where the app will be used. Therefore, I decided to limit access to the bucket by the company's IP address. However, when Electron-updater checks for an update, I get the Error: HttpError: 403 Forbidden. This is the bucket policy I am using:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKETNAME",
                "arn:aws:s3:::BUCKETNAME/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "Company's IP Address"
                }
            }
        }
    ]
}

When Electron-Updater checks to see if there is a new update, I get the Error: HttpError: 403 Forbidden. It shouldn't be, because the request is coming from the IP of the company. I am wondering if maybe for some reason the request is coming from a different IP. I tried to use the S3 access logs (I have never used them), but nothing gets saved in the bucket I create to store those logs. I am at a loss as to what the problem is.

Rookie
  • 859
  • 8
  • 22

1 Answers1

1

If I understood the Question, you want Allow Only from Specific IP's.

    {
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
      {
        "Sid": "IPAllow",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::BUCKETNAME",
            "arn:aws:s3:::BUCKETNAME/*"
        ],
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": [
              "CIDR",
              "CIDR"
            ]
          }
        }
      }
    ]
  }
Oxi
  • 2,918
  • 17
  • 28
  • The interesting thing is that my bucket policy works when I visit the S3 console from a different IP address because it block my access to the bucket. When I access it again in the console from the allowed IP, it shows it to me. I wonder if for some reason when the app contacts S3 a different IP is recognized. I don't know how to check that. – Rookie Jul 27 '20 at 17:13
  • it works from S3 Console - most probably because you logged in as root user (with your email and password) or as another user who as identity policy (policy attached to user), which allow you to access it anyways (what ever the IP) – Oxi Jul 27 '20 at 17:15