Solved: Limit access to bucket with S3 policy

SYNTAXERROR · ‎2020-09-22

Hi folks

I have the following policy to limit access per groups to only one specific bucket (3 groups, 3 buckets):

{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.10"
}
}
}
]
}

I use this to limit access to only a specific bucket and only from one ip address. When I test it I don't see any bucket. Any Idea?

I tried it already without the ip address condition, still same problem.

Thank you!

SYNTAXERROR · ‎2020-10-05

Did not work but I managed to get it working like this:

"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

Thank you for your help...

View solution in original post

elementx · ‎2020-09-23

I don't know but I simply looked at the manual and immediately spotted that you have a typo in the condition (should be sgws:SourceIp). There may be other typos or mistakes. The manuals have a few correctly working policy examples.

https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-s3/GUID-53596498-9334-44DB-A4CE-DFEC28CF21FF.html?cp=5_0_5_1

SYNTAXERROR · ‎2020-09-24

Hi

Thank you. This is the documentation for 11.0. In 11.3 it states that you have to use aws:SourceIp.

I also tested it without the condition.

elementx · ‎2020-09-24

Ok, so you're on v11.3 and neither sgws: nor aws: work.

1) When you remove the IP Condition, can the bucket be accessed?

2) When you only have the IP condition, can the bucket be accessed?

SYNTAXERROR · ‎2020-09-24

Yeah, sorry for missing the version 😃

1) As mentioned this doesn't not work neither

2) No not yet but I will test that asap...

SYNTAXERROR · ‎2020-09-28

2) No not yet but I will test that asap...

-> Tested now and it works as expected so it is only the bucket part which does not work...

elementx · ‎2020-09-28

Could be a syntax error in your policy file. Can you create a "public" (or other name) test bucket and try like this?

{
  "Sid": "AllowEveryoneReadOnlyAccess",
  "Effect": "Allow",
  "Principal": "*",
  "Action": [ "s3:GetObject", "s3:ListBucket" ],
  "Resource":[ "urn:sgws:s3:::public", "urn:sgws:s3:::public/*"],
  "Condition": {
    "IpAddress": {
    "sgws:SourceIp": "1.1.1.1/32"
  }
}

elementx · ‎2020-09-28

Another example ("Deny" Policy, inverse match - Deny access to all clients but from specified subnet)

- Bucket: td01

- Td-centos server is in 10.193.205 subnet

- Client PC is not on the subnet

[root@td-centos ~]# cat td01_ip.json

{
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
         "arn:aws:s3:::td01",
         "arn:aws:s3:::td01/*"
      ],
      "Condition": {
                "NotIpAddress": {"aws:SourceIp": "10.193.205.0/24"}
      }
    }
  ]
}

[root@td-centos ~]# aws s3api put-bucket-policy --bucket td01 --profile user01 --policy file://td01_ip.json --endpoint-url https://sgdemo.netapp.com

[root@td-centos ~]#

[root@td-centos ~]# aws s3api get-bucket-policy --bucket td01 --profile user01 --endpoint-url https://sgdemo.netapp.com

{

    "Policy": "{\"Statement\":[{\"Sid\":\"IPAllow\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::td01\",\"arn:aws:s3:::td01/*\"],\"Condition\":{\"NotIpAddress\":{\"aws:SourceIp\":\"10.193.205.0/24\"}}}]}"

}

[root@td-centos ~]#


aws s3 ls s3://td01 --profile user01 --endpoint-url https://sgdemo.netapp.com
2020-09-22 16:36:23      65536 TestObject.0
2020-09-22 16:36:24      65536 TestObject.1
2020-09-22 16:36:24      65536 TestObject.2
2020-09-22 16:36:24      65536 TestObject.3
2020-09-22 16:36:24      65536 TestObject.4

# From another client

[root@td-centos ~]#

$ aws s3 ls s3://td01 --profile user02 --endpoint-url https://10.193.205.63 --no-verify-ssl

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Authorization failed.

SYNTAXERROR · ‎2020-09-29

So I set the ILM policy to "Full Access" and use the following policy?:

{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::32994846229177:group/NewGroup"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {"aws:SourceIp": "192.168.1.1"}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
}

]
}

elementx · ‎2020-10-01

Looks good, but test it yourself to verify.

SYNTAXERROR · ‎2020-10-05

Did not work but I managed to get it working like this:

"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

Thank you for your help...