Is aws:SourceVpc condition key present in the request context when interacting with S3 over web console?

巧了我就是萌 提交于 2020-05-24 03:58:08

问题


I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message.

Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well?

My assumption is that it is present in the request context as otherwise policy statement would have failed such that the statement's "Effect" does not apply because there is no "Ifexists" added to StringNotEquals - Asking this question as I could not find this information in AWS Documentation. Even after adding "Ifexists" to StringNotEquals, results are same - can someone confirm?

{
    "Version": "2012-10-17",
    "Id": "Policy1589385141624",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::abhxy12bst3",
                "arn:aws:s3:::abhxy12bst3/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-0xy915sdfedb5667"
                }
            }
        }
    ]
}

回答1:


Yes, you are right. I tested the following bucket policy, the operations from the AWS S3 console are denied.

{
    "Version": "2012-10-17",
    "Id": "Policy1589385141624",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::abhxy12bst3",
                "arn:aws:s3:::abhxy12bst3/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:sourceVpc": "vpc-30*"
                }
            }
        }
    ]
}

It means there is definitely some vpc id present in the request. It might be same for each account or it could be different.




回答2:


This will apply to all requests interacting with S3. The console just provides a GUI on top of the AWS API.



来源:https://stackoverflow.com/questions/61839977/is-awssourcevpc-condition-key-present-in-the-request-context-when-interacting-w

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!