Mixing
AWS S3 Bucket Policy Whitelist
I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""
amazon-web-services amazon-s3 whitelist
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
add a comment |
I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""
amazon-web-services amazon-s3 whitelist
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55
add a comment |
I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""
amazon-web-services amazon-s3 whitelist
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""
amazon-web-services amazon-s3 whitelist
amazon-web-services amazon-s3 whitelist
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
edited Nov 21 '18 at 22:38
dmn0972
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
asked Nov 21 '18 at 21:55
dmn0972dmn0972
806
806
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55
add a comment |
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55
add a comment |
2 Answers
2
active
oldest
votes
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are:
- Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
- Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
add a comment |
aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIpcondition key.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421014%2faws-s3-bucket-policy-whitelist%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are:
- Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
- Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
add a comment |
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are:
- Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
- Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
add a comment |
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are:
- Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
- Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are:
- Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR
- Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
answered Nov 22 '18 at 1:44
John RotensteinJohn Rotenstein
72.8k782127
72.8k782127
add a comment |
add a comment |
aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIpcondition key.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
add a comment |
aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIpcondition key.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
add a comment |
aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIpcondition key.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.
If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).
If you are using an S3 VPC endpoint, you can't whitelist by IP:
you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html
Also, there's this:
Note: It's a best practice not to use the
aws:SourceIpcondition key.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
answered Nov 22 '18 at 2:29
Michael - sqlbotMichael - sqlbot
91.6k12134197
91.6k12134197
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421014%2faws-s3-bucket-policy-whitelist%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
RFC1918: youtube.com/watch?v=2xbm7VfCs2M
– jarmod
Nov 22 '18 at 1:55