Home > Mobile >  AWS S3: IAM Policy with Deny IP Block Denies All IPs
AWS S3: IAM Policy with Deny IP Block Denies All IPs

Time:12-13

I have an IAM policy bound to a user that includes a block like:

...
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "0.0.0.0/0"
                    ]
                }
            }
        }
...

If my understanding is correct, this should allow any IP -- this block should have no effect. However, when I try to do some S3 operations as a user that is bound to this policy, the actions yield Access Denied. When I remove this block from the IAM policy, the S3 operations are allowed.

What is wrong with this policy, or my understanding thereof?

I've tried a similar policy but with a real array of IPs I want to allow through, but same result -- so I figured this would be a better minimal example to clarify my understanding.

CodePudding user response:

When using the actual list of trusted IPs, it turns out that S3 was seeing the internal IPs of the source nodes, not their external IPs (which is what I was including in the list). Filtering based on the internal IPs or based on the VPC ID that contained all the nodes worked. This still doesn't explain why a filter using 0.0.0.0/0 as above blocked any traffic, but hopefully this helps in case anyone else runs into something like this.

Page link:https//www.codepudding.com/Mobile/640256.html

Prev:Hadoop Spark SQL insert failing
Next:stack/add/composite/accumulate multiple transform=translate animations in the Web Animation API
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding