Question:
I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I’m trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it’s an invalid policy):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Allow-access-only-from-two-VPCs", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-111bbccc" }, "StringNotEquals": { "aws:sourceVpc": "vpc-111bbddd" } }, "Principal": "*" } ] } |
If I use this:
|
1 2 3 4 |
"StringNotEquals": { "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"] } |
then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.
Answer:
Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control
|
1 2 3 4 5 6 7 8 |
"Condition": { "ForAllValues:StringNotEquals": { "aws:sourceVpc": [ "vpc-111bbccc", "vpc-111bbddd" ] }, |