Hi folks,
Looking for guidance on how to do an S3 bucket policy with multiple statements that are evaluated as a LOGICAL OR . I knew that multiple conditions in the same statement are “Logical AND” but I thought breaking out a second statement would be evaluated as “Logical OR”. I am obviously wrong though as I locked everyone out of the bucket and now I have to get root creds to unfix my error. Embarassing!
This was the intent:
• Internal developers want to use s3 static website hosting
• The website hosting is for private internal services only that can’t be exposed to the world
• however s3 static hosting requires public read permissions on bucket and objects so …
◦ The idea was to drop a bucket policy in place with two different rules:
◦ Deny access if not coming from one of the known internet egress IPs used by the org
◦ Deny access if not coming from a VPC endpoint of ours
But my policy did not work as expected. Is there a way to clean up or correct something like this?
{
“Version”: “2012-10-17",
“Id”: “111",
“Statement”: [{
“Sid”: “DenyExceptForKnownEgressIPs”,
“Effect”: “Deny”,
“Principal”: “”,
“Action”: “s3:“,
“Resource”: [
“arn:aws:s3:::redacted-bucket/“,
“arn:aws:s3:::redacted-bucket”
],
“Condition”: {
“NotIpAddress”: {
“aws:SourceIp”: [
“xx.xx.xx.xx/32”,
]
}
}
}, {
“Sid”: “DenyExceptFromVPCendpoint”,
“Effect”: “Deny”,
“Principal”: “”,
“Action”: “s3:“,
“Resource”: [
“arn:aws:s3:::redacted-bucket/“,
“arn:aws:s3:::redacted-bucket”
],
“Condition”: {
“StringNotEquals”: {
“aws:SourceVpce”: [
“vpc-xxxxxxx”
]
}
}
}]
}