https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip
大事なことはすべてここにある
まとめ
aws:SourceIpはリストで指定NG
VPCエンドポイント経由のときはaws:SourceIpではなくaws:VpcSourceIp
初歩的ミス
リストでaws:SourceIpだめ
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AllowCrossAccountEC2Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/iam-a"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"172.31.XXX.0/27"
]
}
}
}
]
}
↑機能しない
リスト消したらいけた
↓機能した
コマンド
aws s3api put-object --bucket s3-a --key test.txt
{
"VersionId": "fzwymj0plYsbv6vcD0ckKvsXefKXAqDF",
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"ServerSideEncryption": "AES256"
}
ポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AllowCrossAccountEC2Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/iam-a"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "172.31.XXX.0/27"←ここ
}
}
}
]
}
応用
だけれどもVPCエンドポイント(gateway)をルートに加えると・・・
aws s3api put-object --bucket s3-a --key test.txt
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
これはVPCエンドポイントの経路が優先されるので、接続元のIPアドレスがプライベートIPアドレスとして接続しにいった
よって、許可IPとフィールドの変更(VpcSourceIp)を行う
誤
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AllowCrossAccountEC2Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/iam-a"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.XX.XX.0/27"
}
}
}
]
}
正しい方にしたらできたね
コマンド
aws s3api put-object --bucket s3-a --key test.txt
{
"VersionId": "q_iSzdIbEdrQRVOqwnNZuQgnyYQJBXER",
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"ServerSideEncryption": "AES256"
}
ポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "AllowCrossAccountEC2Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/iam-a"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::s3-a",
"arn:aws:s3:::s3-a/*"
],
"Condition": {
"IpAddress": {
"aws:VpcSourceIp": "10.XX.XX.0/27"
}
}
}
]
}