S3 access from VPC or Corporate IP

If you’ve been wanting to allow HTTP access to your favorite S3 bucket from your VPC and/or from your corporate LAN’s public IP, then this blog could help make your job easier. At the end of this, you will be able to use your S3 bucket as an artifact server serving files via HTTP.

To begin, we’ll need to setup a VPC Endpoint. Head to VPC->Endpoints->Create. Select your VPC and choose S3 from the next dropdown:

screen-shot-2016-11-18-at-11-59-05-am

Copy the “vpce-xxxxxxx” resource-id that is returned after create.

Next, head to your S3 bucket and in the properties side bar, hit “Permissions” and click “Add Bucket Policy” and enter something like this:

{
    "Version": "2012-10-17",
    "Id": "Policy1478550966902",
    "Statement": [
        {
            "Sid": "Stmt1478708488423",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname",
                "arn:aws:s3:::yourbucketname/*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:sourceVpce": "vpce-xxxxxx"
                }
            }
        }
    ]
}

In my case, I wanted GetObject, ListBucket, and PutObject access only from our VPC so that’s what I put in there. Your use case may vary.

Remember, I also want access to the bucket from our corporate IP address. Note, if you just added the IP address to the Condition field, it’d act as an “AND” policy so it will only grant access to the bucket if the IP address matches AND traffic is coming from the VPC. Whereas we want access to the bucket if IP address matches OR if hitting the bucket from VPC. So this is NOT going to work:

            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:sourceVpce": "vpce-xxxxxx"
                },
                "IpAddress": {
                    "aws:SourceIp": "X.X.X.X/16"
                }
            }

Here’s what you’d use instead – use two different statements:

{
    "Version": "2012-10-17",
    "Id": "Policy1478550966902",
    "Statement": [
        {
            "Sid": "Stmt1478550959905",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname",
                "arn:aws:s3:::yourbucketname/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "X.X.X.X/16"
                }
            }
        },
        {
            "Sid": "Stmt1478708488423",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname",
                "arn:aws:s3:::yourbucketname/*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:sourceVpce": "vpce-xxxxxx"
                }
            }
        }
    ]
}

And, done!

Advertisements
This entry was posted in Amazon Web Services, Tech. and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s