Bucket policy to allow based on provided ip address but allow a snowflake role inspite of ip address

Question

I have a situation where I need to restrict s3 bucket to deny all other ips except the list of ips provided but also allow access for snowflake. Since the list of possible ip addresses used by snowflake in a region is a lot - https://ip-ranges.amazonaws.com/ip-ranges.json, I was trying to see if I can provide an 'Allow' based on the snowflake role created for snowflake s3 stage. The policy I tried looks like below.

{
    "Version": "2012-10-17",
    "Id": "SourceIP",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::11111111111:role/snowflake-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::s3-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/snowflake-role"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::s3-bucket/*"
        },
        {
            "Sid": "SourceIP",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::s3-bucket",
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "10.10.100.10",
                        "10.10.100.11",
                        "10.10.100.12",
                        "10.10.100.13"
                    ]
                }
            }
        }
    ]
}

This works perfectly on blocking other ip addresses but Snowflake cannot access. Since 'Deny' possibly denied all the ip addresses irrespective of above 'Allow' statement for snowflake, I tried Allow ip address as below.

{
    "Version": "2012-10-17",
    "Id": "SourceIP",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::11111111111:role/snowflake-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::s3-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/snowflake-role"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::s3-bucket/*"
        },
        {
            "Sid": "SourceIP",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::s3-bucket",
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "10.10.100.10",
                        "10.10.100.11",
                        "10.10.100.12",
                        "10.10.100.13"
                    ]
                }
            }
        }
    ]
}

Now snowflake can access but ip restriction doesnt work. All ips can access the bucket. Can someone help me with my scenario?

Why not allow Snowflake IP ranges to the S3 bucket and then limit the access to the Snowflake Stage by Role? That's how most companies do this. — Mike Walton, Jun 17 '21 at 18:14
@MikeWalton, the problem with that approach is that there is a big list of ips for a particular region for EC2 machines. And that may even change. Because of that snowflake is not recommeding ip whitelisting.https://community.snowflake.com/s/article/Why-Snowflake-doesn-t-share-static-IP-address-with-customer — Arun Joseph, Jun 21 '21 at 21:35

score 1 · Answer 1 · answered Jun 17 '21 at 19:10

1

I think that indeed the most elegant solution would be to create an IAM role and assign it to the corresponding snowflakes you want to allow accessing the S3 bucket. After that block all the access to the bucket with an explicit Deny for "Principal" : "*". Finally, you can use aws:userId or aws:PrincipalArn condition keys to only allow the users with the role to access the bucket.

Have a look at this article for more details https://levelup.gitconnected.com/how-i-locked-the-whole-company-out-of-an-amazon-s3-bucket-1781de51e4be

Best, Stefan

answered Jun 17 '21 at 19:10

StefanN

527
1
4
12

Wouldn't this solution block Snowflake from accessing the S3 bucket, too? – Mike Walton Jun 21 '21 at 23:07
@MikeWalton No. Anyone who assumes the particular role will be allowed via `"aws:userId":["UNIQUE_ROLE_ID:*"]` condition, i.e., they will be excluded from the `Deny`. This of course assumes that the role has access to the bucket, as the OP's question was how to limit the access... If you want to learn more about how this works, please check out my article linked in the answer. Also I would be happy to answer any further questions you might have. – StefanN Jun 22 '21 at 08:03
I understand the concept, but I read the subject of this post as the OP wanting to control based on Snowflake Roles, which aren't the same thing as an IAM role. So, that was my confusion. – Mike Walton Jun 22 '21 at 12:46

Bucket policy to allow based on provided ip address but allow a snowflake role inspite of ip address

1 Answers1