Object Storage

Limit access to bucket with S3 policy

SYNTAXERROR
6,576 Views

Hi folks

 

I have the following policy to limit access per groups to only one specific bucket (3 groups, 3 buckets):

{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.10"
}
}
}
]
}

 

I use this to limit access to only a specific bucket and only from one ip address. When I test it I don't see any bucket. Any Idea?

I tried it already without the ip address condition, still same problem.

 

Thank you!

1 ACCEPTED SOLUTION

SYNTAXERROR
6,340 Views

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

View solution in original post

10 REPLIES 10

elementx
6,523 Views

 I don't know but I simply looked at the manual and immediately spotted that you have a typo in the condition (should be sgws:SourceIp). There may be other typos or mistakes. The manuals have a few correctly working policy examples.

 

https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-s3/GUID-53596498-9334-44DB-A4CE-DFEC28CF21FF.html?cp=5_0_5_1

SYNTAXERROR
6,497 Views

Hi

 

Thank you. This is the documentation for 11.0. In 11.3 it states that you have to use aws:SourceIp.

I also tested it without the condition.

elementx
6,494 Views

Ok, so you're on v11.3 and neither sgws: nor aws:  work.

 

1) When you remove the IP Condition, can the bucket be accessed?

 

2) When you only have the IP condition, can the bucket be accessed?

 

 

 

 

SYNTAXERROR
6,485 Views

Yeah, sorry for missing the version 😃

 

1) As mentioned this doesn't not work neither

 

2) No not yet but I will test that asap...

SYNTAXERROR
6,455 Views

2) No not yet but I will test that asap...

-> Tested now and it works as expected so it is only the bucket part which does not work...

elementx
6,451 Views

Could be a syntax error in your policy file. Can you create a "public" (or other name) test bucket and try like this?

{
  "Sid": "AllowEveryoneReadOnlyAccess",
  "Effect": "Allow",
  "Principal": "*",
  "Action": [ "s3:GetObject", "s3:ListBucket" ],
  "Resource":[ "urn:sgws:s3:::public", "urn:sgws:s3:::public/*"],
  "Condition": {
    "IpAddress": {
    "sgws:SourceIp": "1.1.1.1/32"
  }
}

 

elementx
6,431 Views

Another example ("Deny" Policy, inverse match - Deny access to all clients but from specified subnet)

- Bucket: td01

- Td-centos server is in 10.193.205 subnet

- Client PC is not on the subnet

[root@td-centos ~]# cat td01_ip.json

{
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
         "arn:aws:s3:::td01",
         "arn:aws:s3:::td01/*"
      ],
      "Condition": {
                "NotIpAddress": {"aws:SourceIp": "10.193.205.0/24"}
      }
    }
  ]
}

[root@td-centos ~]# aws s3api put-bucket-policy --bucket td01 --profile user01 --policy file://td01_ip.json --endpoint-url https://sgdemo.netapp.com

[root@td-centos ~]#

[root@td-centos ~]# aws s3api get-bucket-policy --bucket td01 --profile user01 --endpoint-url https://sgdemo.netapp.com

{

    "Policy": "{\"Statement\":[{\"Sid\":\"IPAllow\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::td01\",\"arn:aws:s3:::td01/*\"],\"Condition\":{\"NotIpAddress\":{\"aws:SourceIp\":\"10.193.205.0/24\"}}}]}"

}

[root@td-centos ~]#


aws s3 ls s3://td01 --profile user01 --endpoint-url https://sgdemo.netapp.com
2020-09-22 16:36:23      65536 TestObject.0
2020-09-22 16:36:24      65536 TestObject.1
2020-09-22 16:36:24      65536 TestObject.2
2020-09-22 16:36:24      65536 TestObject.3
2020-09-22 16:36:24      65536 TestObject.4

# From another client

[root@td-centos ~]#

$ aws s3 ls s3://td01 --profile user02 --endpoint-url https://10.193.205.63 --no-verify-ssl

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Authorization failed.

 

SYNTAXERROR
6,394 Views

So I set the ILM policy to "Full Access" and use the following policy?:

{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::32994846229177:group/NewGroup"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"IpAddress": {"aws:SourceIp": "192.168.1.1"}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
}

]
}

elementx
6,376 Views

Looks good, but test it yourself to verify.

SYNTAXERROR
6,341 Views

Did not work but I managed to get it working like this:


"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::12345678910111213:group/group1"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {"aws:SourceIp": "192.168.1.10/32"}
}
}
]
}

 

Thank you for your help...

Public