Why does my S3 Bucket Policy work using IP but not ARN of my instances?

Question

I'm debugging an AccessDenied error when using my EC2 Instance IDS as the Condition for a bucket policy. The following bucket policy throws an Access Denied error when I try to do a simple PutObject:

{
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": ["arn:aws:ec2:region:ACTUAL-ACCOUNT-ID:instance/ACTUAL-INSTANCE_ID"]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject",
        "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl", "s3:DeleteObject", "s3:DeleteObjectVersion",
        "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload",
        "s3:GetObjectTorrent", "s3:GetObjectVersionTorrent", "s3:RestoreObject"
      ],
      "Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": ["arn:aws:ec2:region:ACTUAL-ACCOUNT-ID:instance/ACTUAL-INSTANCE_ID"]
        }
      }
    }
  ]
}

However, If I change the Condition to be the IP of instance, I no longer get my errors and am able to PutObject all day.

{
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "ACTUAL-IP-ADDRESS"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject",
        "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl", "s3:DeleteObject", "s3:DeleteObjectVersion",
        "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload",
        "s3:GetObjectTorrent", "s3:GetObjectVersionTorrent", "s3:RestoreObject"
      ],
      "Resource": "arn:aws:s3:::ACTUAL-BUCKET-NAME/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "ACTUAL-IP-ADDRESS"
        }
      }
    }
  ]
}

The command I'm using to test with is

echo "hi" | aws s3 cp - s3://ACTUAL-BUCKET-NAME/ACTUAL-FILE-NAME --no-sign-request --region us-east-1

What I've tried

I've tried changing my Condition to ArnLike with no better results.

I've tried modifying the ARN because I'm not sure if I need to replace region or accountid with actual values or if I can leave them as 'variables' -- but again, didn't matter.

score 1 · Answer 1 · edited May 23 '17 at 12:22

1

That's generally not how you provide an EC2 server access to an S3 bucket. You would usually do that by assigning the appropriate IAM role to the EC2 server instead of using an S3 bucket policy.

If you absolutely have to accomplish this via a bucket policy, I would recommend reading the answers to this question.

edited May 23 '17 at 12:22

Community

1
1

answered Aug 10 '16 at 21:55

Mark B

183,023
24
297
295

I absolutely have to, sadly. – Rabbott Aug 11 '16 at 12:39

Why does my S3 Bucket Policy work using IP but not ARN of my instances?

1 Answers1