0

I have an s3 bucket where I have a policy in place to prevent anyone from getting access to the objects if they are not from my VPC, However, now when I put a lifecycle policy on the bucket it doesn't apply

Here is the current policy I have on the bucket:

{
  "Version": "2012-10-17",
  "Id": "Policy1636125293921",
  "Statement": [
      {
          "Sid": "Stmt1636125292369",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::bucketname/*",
          "Condition": {
              "StringNotEquals": {
                  "aws:SourceVPC": [
                      "vpc-0987654321",
                      "vpc-1234567890"
                  ]
              }
          }
      }
  ]
}

I have tried to add a second statement that gives full access to my user with this statement:

{
  "Sid": "Stmt1636125292368",
  "Effect": "Allow",
  "Principal": {
      "AWS": "arn:aws:iam::123456789012:user/username"
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::bucketname/*"
}

I've tried a few different combinations of this second statement, but it is still not running the lifecycle policy, the policy exists and is there, but it doesn't run. Under "Object management overview" for one of the objects the Expiration date and Expiration rule remain blank, however if I remove the DENY policy, then I am able to see the Expiration date. I need that DENY policy to keep doing what it does so I cant remove that. I will also add that the user I am using has full admin permissions.

user17733554
  • 57
  • 1
  • 6
  • Is the problem that the Lifecycle Policy does not run, or you are unable to "add the Lifecycle Policy" (in which case, what is the error message)? – John Rotenstein Dec 21 '21 at 23:34
  • @JohnRotenstein The policy exists and I am able to add it, I also checked via the CLI using "get-bucket-lifecycle-configuration" and I can see its there. But it doesn't run, and on the object overview under management configurations, the Expiration Rule and Expiration date remain blank – user17733554 Dec 22 '21 at 09:39
  • In general, it's best to avoid `Deny` policies. In this case, it seems to be denying the changes that the Lifecycle Policy is attempting because it is not coming from your VPC. If you have a super-secret bucket, sometimes it's easier to put it in a different AWS Account and then limit access to that Account. – John Rotenstein Dec 22 '21 at 10:44
  • @JohnRotenstein I managed to get it to work for my use case using "NotPrincipal" which I didn't even know existed before today. Thank you for your help – user17733554 Dec 23 '21 at 16:54

1 Answers1

0

Instead of having the Principal as "*" for the DENY statement, I replaced it with

"NotPrincipal": {
"AWS": [
    "arn:aws:iam::123456789012:user/username",
    "arn:aws:iam::123456789012:root"

The policy now denies anyone who isn't from my account, but it also allows anonymous users who are accessing the objects via the VPC to still have access. This has now allowed me to successfully run the lifecycle policy on the bucket.

user17733554
  • 57
  • 1
  • 6