Home » Cloud » How to secure an AWS S3 bucket by using a source IP bucket policy address [Solved]

How to secure an AWS S3 bucket by using a source IP bucket policy address [Solved]

There are many ways to secure the AWS S3 bucket as in he previous article where you can make the bucket sure by adding a condition to only allow users when using a secure protocol – see the link for full article

http://awsarticles.com/how-to-secure-an-aws-s3-bucket-using-a-aws-bucket-policy-solved/?preview_id=1240&preview_nonce=bdcdf32aa5&post_format=standard&_thumbnail_id=-1&preview=true

There are ways to lock the AWS  bucket which has public URL and you wanted to lock it down to only certain offices or the network space. there may be a situation where you want to post some HR documents with read only access but only want the users to access when they are in the office –

Please not that once the bucket is public, it is very important to secure the bucket whatever method is preferred –

below is the policy that we will be working with to secure the bucket and you can see it has a condition called “NotIpAdress” and ip address listed as 1.1.1.1/32 and another condition called “IpAdress” which matches any ip address – This policy denies access to this bucket when it is sourcing from 1.1.1.1 and will allow any ip other than ip address which matches 1.1.1.1/32 – The policy is pretty straight forward

More detail can be found by looking at the AWS documentations

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Lets put this policy to work and how easy it is to set this up –  I created a bucket called “sourceip”  with file in it and set the permissions so the folder is publicly accessible – if you need instructions  on how to create a bucket you then you can reference the link below  which explains the steps on creation of the S3 bucket

http://awsarticles.com/how-to-secure-an-aws-s3-bucket-using-a-aws-bucket-policy-solved/?preview_id=1240&preview_nonce=bdcdf32aa5&post_format=standard&_thumbnail_id=-1&preview=true

OK, now that we have AWS S3 bucket created – we can add the policy – you can see that the resource is highlighted and the first condition is deny access which my ip address and the second one is allowing all  – all this policy states that allow access from any ip other than the list in the “notipaddress” field

Let now access this link from laptop and see what I get and you can see i get access denied – now if use another account then it will be accessible – I hope this is useful –

Please note this is a key question in AWS exam and can get you points

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*