AWS S3 Bucket Policy Whitelist












0















I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:



Bucket Policy:



{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}


Server IP:



10.x.x.x/32


Error:



ui,message,    amazon-ebs:     "msg": "Error downloading 
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""









share|improve this question

























  • RFC1918: youtube.com/watch?v=2xbm7VfCs2M

    – jarmod
    Nov 22 '18 at 1:55
















0















I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:



Bucket Policy:



{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}


Server IP:



10.x.x.x/32


Error:



ui,message,    amazon-ebs:     "msg": "Error downloading 
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""









share|improve this question

























  • RFC1918: youtube.com/watch?v=2xbm7VfCs2M

    – jarmod
    Nov 22 '18 at 1:55














0












0








0








I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:



Bucket Policy:



{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}


Server IP:



10.x.x.x/32


Error:



ui,message,    amazon-ebs:     "msg": "Error downloading 
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""









share|improve this question
















I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:



Bucket Policy:



{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}


Server IP:



10.x.x.x/32


Error:



ui,message,    amazon-ebs:     "msg": "Error downloading 
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\temp\xxx.zip Exception
calling "DownloadFile" with "2" argument(s): "The remote server
returned an error: (403) Forbidden.""






amazon-web-services amazon-s3 whitelist






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 21 '18 at 22:38







dmn0972

















asked Nov 21 '18 at 21:55









dmn0972dmn0972

806




806













  • RFC1918: youtube.com/watch?v=2xbm7VfCs2M

    – jarmod
    Nov 22 '18 at 1:55



















  • RFC1918: youtube.com/watch?v=2xbm7VfCs2M

    – jarmod
    Nov 22 '18 at 1:55

















RFC1918: youtube.com/watch?v=2xbm7VfCs2M

– jarmod
Nov 22 '18 at 1:55





RFC1918: youtube.com/watch?v=2xbm7VfCs2M

– jarmod
Nov 22 '18 at 1:55












2 Answers
2






active

oldest

votes


















2














Amazon S3 lives on the Internet.



Therefore, when communicating with S3, your system will be using a Public IP address.



However your policy only includes private IP addresses. That is why it is not working.



Your options are:




  • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR

  • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.






share|improve this answer































    1














    aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.



    If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).



    If you are using an S3 VPC endpoint, you can't whitelist by IP:




    you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.



    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html




    Also, there's this:




    Note: It's a best practice not to use the aws:SourceIp condition key.



    https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/







    share|improve this answer























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421014%2faws-s3-bucket-policy-whitelist%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      Amazon S3 lives on the Internet.



      Therefore, when communicating with S3, your system will be using a Public IP address.



      However your policy only includes private IP addresses. That is why it is not working.



      Your options are:




      • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR

      • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.






      share|improve this answer




























        2














        Amazon S3 lives on the Internet.



        Therefore, when communicating with S3, your system will be using a Public IP address.



        However your policy only includes private IP addresses. That is why it is not working.



        Your options are:




        • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR

        • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.






        share|improve this answer


























          2












          2








          2







          Amazon S3 lives on the Internet.



          Therefore, when communicating with S3, your system will be using a Public IP address.



          However your policy only includes private IP addresses. That is why it is not working.



          Your options are:




          • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR

          • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.






          share|improve this answer













          Amazon S3 lives on the Internet.



          Therefore, when communicating with S3, your system will be using a Public IP address.



          However your policy only includes private IP addresses. That is why it is not working.



          Your options are:




          • Modify the policy to use the Public IP address of the instance(s), or the Public IP address of a NAT Gateway if your instances are in a private subnet, OR

          • Create a Gateway VPC Endpoint that connects the VPC directly to Amazon S3. You can then configure a Bucket Policy that only accepts traffic via the VPC Endpoint.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 '18 at 1:44









          John RotensteinJohn Rotenstein

          72.8k782127




          72.8k782127

























              1














              aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.



              If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).



              If you are using an S3 VPC endpoint, you can't whitelist by IP:




              you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.



              https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html




              Also, there's this:




              Note: It's a best practice not to use the aws:SourceIp condition key.



              https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/







              share|improve this answer




























                1














                aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.



                If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).



                If you are using an S3 VPC endpoint, you can't whitelist by IP:




                you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.



                https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html




                Also, there's this:




                Note: It's a best practice not to use the aws:SourceIp condition key.



                https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/







                share|improve this answer


























                  1












                  1








                  1







                  aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.



                  If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).



                  If you are using an S3 VPC endpoint, you can't whitelist by IP:




                  you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.



                  https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html




                  Also, there's this:




                  Note: It's a best practice not to use the aws:SourceIp condition key.



                  https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/







                  share|improve this answer













                  aws:sourceIp expects a public IP address. Private addresses are, by definition, ambiguous, and 10.x.x.x/12 is a private (RFC-1918) address, so it will never match.



                  If you are not using an S3 VPC endpoint, you could whitelist the public IP address of your NAT Gateway (assuming all the instances with access to thr gateway should be able to access the bucket).



                  If you are using an S3 VPC endpoint, you can't whitelist by IP:




                  you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range.



                  https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html




                  Also, there's this:




                  Note: It's a best practice not to use the aws:SourceIp condition key.



                  https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 22 '18 at 2:29









                  Michael - sqlbotMichael - sqlbot

                  91.6k12134197




                  91.6k12134197






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53421014%2faws-s3-bucket-policy-whitelist%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

                      SQL update select statement

                      'app-layout' is not a known element: how to share Component with different Modules