Object Storage

Limit access to bucket with S3 policy

SYNTAXERROR
3,973 Views

Hi folks

 

I have the following policy to limit access per groups to only one specific bucket (3 groups, 3 buckets):

{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.10"
}
}
}
]
}

 

I use this to limit access to only a specific bucket and only from one ip address. When I test it I don't see any bucket. Any Idea?

I tried it already without the ip address condition, still same problem.

 

Thank you!

1 ACCEPTED SOLUTION

SYNTAXERROR
3,737 Views

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

View solution in original post

10 REPLIES 10

elementx
3,920 Views

 I don't know but I simply looked at the manual and immediately spotted that you have a typo in the condition (should be sgws:SourceIp). There may be other typos or mistakes. The manuals have a few correctly working policy examples.

 

https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-s3/GUID-53596498-9334-44DB-A4CE-DFEC28CF21FF.html?cp=5_0_5_1

SYNTAXERROR
3,894 Views

Hi

 

Thank you. This is the documentation for 11.0. In 11.3 it states that you have to use aws:SourceIp.

I also tested it without the condition.

elementx
3,891 Views

Ok, so you're on v11.3 and neither sgws: nor aws:  work.

 

1) When you remove the IP Condition, can the bucket be accessed?

 

2) When you only have the IP condition, can the bucket be accessed?

 

 

 

 

SYNTAXERROR
3,882 Views

Yeah, sorry for missing the version 😃

 

1) As mentioned this doesn't not work neither

 

2) No not yet but I will test that asap...

SYNTAXERROR
3,852 Views

2) No not yet but I will test that asap...

-> Tested now and it works as expected so it is only the bucket part which does not work...

elementx
3,848 Views

Could be a syntax error in your policy file. Can you create a "public" (or other name) test bucket and try like this?

{
  "Sid": "AllowEveryoneReadOnlyAccess",
  "Effect": "Allow",
  "Principal": "*",
  "Action": [ "s3:GetObject", "s3:ListBucket" ],
  "Resource":[ "urn:sgws:s3:::public", "urn:sgws:s3:::public/*"],
  "Condition": {
    "IpAddress": {
    "sgws:SourceIp": "1.1.1.1/32"
  }
}

 

elementx
3,828 Views

Another example ("Deny" Policy, inverse match - Deny access to all clients but from specified subnet)

- Bucket: td01

- Td-centos server is in 10.193.205 subnet

- Client PC is not on the subnet

[root@td-centos ~]# cat td01_ip.json

{
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
         "arn:aws:s3:::td01",
         "arn:aws:s3:::td01/*"
      ],
      "Condition": {
                "NotIpAddress": {"aws:SourceIp": "10.193.205.0/24"}
      }
    }
  ]
}

[root@td-centos ~]# aws s3api put-bucket-policy --bucket td01 --profile user01 --policy file://td01_ip.json --endpoint-url https://sgdemo.netapp.com

[root@td-centos ~]#

[root@td-centos ~]# aws s3api get-bucket-policy --bucket td01 --profile user01 --endpoint-url https://sgdemo.netapp.com

{

    "Policy": "{\"Statement\":[{\"Sid\":\"IPAllow\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::td01\",\"arn:aws:s3:::td01/*\"],\"Condition\":{\"NotIpAddress\":{\"aws:SourceIp\":\"10.193.205.0/24\"}}}]}"

}

[root@td-centos ~]#


aws s3 ls s3://td01 --profile user01 --endpoint-url https://sgdemo.netapp.com
2020-09-22 16:36:23      65536 TestObject.0
2020-09-22 16:36:24      65536 TestObject.1
2020-09-22 16:36:24      65536 TestObject.2
2020-09-22 16:36:24      65536 TestObject.3
2020-09-22 16:36:24      65536 TestObject.4

# From another client

[root@td-centos ~]#

$ aws s3 ls s3://td01 --profile user02 --endpoint-url https://10.193.205.63 --no-verify-ssl

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Authorization failed.

 

SYNTAXERROR
3,791 Views

So I set the ILM policy to "Full Access" and use the following policy?:

{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::32994846229177:group/NewGroup"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {"aws:SourceIp": "192.168.1.1"}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
}

]
}

elementx
3,773 Views

Looks good, but test it yourself to verify.

SYNTAXERROR
3,738 Views

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

Public