amazon-web-services amazon-s3 amazon-ec2 aws-policies

How can I add IP restrictions to s3 bucket(in the bucket Policy) already having a User restriction

I have a few s3 buckets, for which I have given access to only a specific IAM user. I did it by setting the following bucket policies :

Effect : "Deny"
NotPrincipal : { "AWS " : "<My_IAM_User>" }

I'm able to access the buckets only from the IAM user, so the policy works as expected, but I also want to restrict the bucket access to only a specific IP. This IP is the ec2 IP address my server is running on. The policy values I've used is as :

"Condition": {
  "NotIpAddress": {
    "aws:SourceIp": [
       "<My_EC2_Server_IP_Address>"
    ]
  }
}

I was expecting the above policy would allow only my EC2 server to access the s3 bucket objects, but if I'm making a call from any other IP ( eg : running the server on my local machine and trying to access the buckets. ) it's still responds with valid objects from the bucket. The above policy does NOT seem to block any request to access the bucket is made from other random IP addresses.

My entire bucket policy looks like :

{
    "Version": "<Version_value>",
    "Statement": [
        {
            "Sid": "<Sid_value>",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "<My_IAM_User>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<My_Bucket_name>/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "<My_EC2_Server_IP_Address>"
                }
            }
        }
    ]
}

My References : 1. https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/ 2. https://medium.com/@devopslearning/100-days-of-devops-day-11-restricting-s3-bucket-access-to-specific-ip-addresses-a46c659b30e2

Solution

If your intention is to deny all AWS credentials except a given IAM user and to deny all IP addresses other than a given IP, then I would write that policy as two, independent deny statements.

Something like this:

{
    "Version": "<Version_value>",
    "Statement": [
        {
            "Sid": "deny1",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "<My_IAM_User>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<My_Bucket_name>/*"
        },
        {
            "Sid": "deny2",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<My_Bucket_name>/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "<My_EC2_Server_IP_Address>"
                }
            }
        }
    ]
}

Be careful with the IP address condition. Unless you are using an Elastic IP, your EC2 instance's IP can change e.g. if you stop then restart the instance.

Also note: you should not be using IAM User credentials on an EC2 instance. Instead, you should be using IAM Roles.