I've created some sort of private documentation for my infra team, uploaded to S3 Bucket and would like to make it private, accessible only on our VPN.
I tried to allow those vpn ip ranges: 173.12.0.0/16 and 173.11.0.0/16 but i keep getting 403 - forbidden (inside vpn).
Can someone help me debug or find where im messing up?
My bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "vpnOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::calian.io/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"173.12.0.0/16",
"173.11.0.0/16"
]
}
}
}
]
}
By default, S3 requests go via the Internet, so the requests would 'appear' to be coming from a public IP address.
Alternatively, you could add a VPC Endpoint for S3, which would make the request come 'from' the private IP addresses.
You might also consider using Amazon S3 Access Points to control the access to the bucket.