Object Storage

Limit access to bucket with S3 policy

SYNTAXERROR

Hi folks

 

I have the following policy to limit access per groups to only one specific bucket (3 groups, 3 buckets):

{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.10"
}
}
}
]
}

 

I use this to limit access to only a specific bucket and only from one ip address. When I test it I don't see any bucket. Any Idea?

I tried it already without the ip address condition, still same problem.

 

Thank you!

1 ACCEPTED SOLUTION

SYNTAXERROR

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

View solution in original post

10 REPLIES 10

elementx

Could be a syntax error in your policy file. Can you create a "public" (or other name) test bucket and try like this?

{
  "Sid": "AllowEveryoneReadOnlyAccess",
  "Effect": "Allow",
  "Principal": "*",
  "Action": [ "s3:GetObject", "s3:ListBucket" ],
  "Resource":[ "urn:sgws:s3:::public", "urn:sgws:s3:::public/*"],
  "Condition": {
    "IpAddress": {
    "sgws:SourceIp": "1.1.1.1/32"
  }
}

 

elementx

Another example ("Deny" Policy, inverse match - Deny access to all clients but from specified subnet)

- Bucket: td01

- Td-centos server is in 10.193.205 subnet

- Client PC is not on the subnet

[root@td-centos ~]# cat td01_ip.json

{
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
         "arn:aws:s3:::td01",
         "arn:aws:s3:::td01/*"
      ],
      "Condition": {
                "NotIpAddress": {"aws:SourceIp": "10.193.205.0/24"}
      }
    }
  ]
}

[root@td-centos ~]# aws s3api put-bucket-policy --bucket td01 --profile user01 --policy file://td01_ip.json --endpoint-url https://sgdemo.netapp.com

[root@td-centos ~]#

[root@td-centos ~]# aws s3api get-bucket-policy --bucket td01 --profile user01 --endpoint-url https://sgdemo.netapp.com

{

    "Policy": "{\"Statement\":[{\"Sid\":\"IPAllow\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::td01\",\"arn:aws:s3:::td01/*\"],\"Condition\":{\"NotIpAddress\":{\"aws:SourceIp\":\"10.193.205.0/24\"}}}]}"

}

[root@td-centos ~]#


aws s3 ls s3://td01 --profile user01 --endpoint-url https://sgdemo.netapp.com
2020-09-22 16:36:23      65536 TestObject.0
2020-09-22 16:36:24      65536 TestObject.1
2020-09-22 16:36:24      65536 TestObject.2
2020-09-22 16:36:24      65536 TestObject.3
2020-09-22 16:36:24      65536 TestObject.4

# From another client

[root@td-centos ~]#

$ aws s3 ls s3://td01 --profile user02 --endpoint-url https://10.193.205.63 --no-verify-ssl

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Authorization failed.

 

SYNTAXERROR

So I set the ILM policy to "Full Access" and use the following policy?:

{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::32994846229177:group/NewGroup"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {"aws:SourceIp": "192.168.1.1"}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
}

]
}

elementx

Looks good, but test it yourself to verify.

SYNTAXERROR

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

View solution in original post

elementx

 I don't know but I simply looked at the manual and immediately spotted that you have a typo in the condition (should be sgws:SourceIp). There may be other typos or mistakes. The manuals have a few correctly working policy examples.

 

https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-s3/GUID-53596498-9334-44DB-A4CE-DFEC28CF21FF.html?cp=5_0_5_1

SYNTAXERROR

Hi

 

Thank you. This is the documentation for 11.0. In 11.3 it states that you have to use aws:SourceIp.

I also tested it without the condition.

elementx

Ok, so you're on v11.3 and neither sgws: nor aws:  work.

 

1) When you remove the IP Condition, can the bucket be accessed?

 

2) When you only have the IP condition, can the bucket be accessed?

 

 

 

 

SYNTAXERROR

Yeah, sorry for missing the version 😃

 

1) As mentioned this doesn't not work neither

 

2) No not yet but I will test that asap...

SYNTAXERROR

2) No not yet but I will test that asap...

-> Tested now and it works as expected so it is only the bucket part which does not work...

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public