Why is my static website on Amazon S3 still accessible from public IP addresses even though I restricted access to a specific Amazon VPC?

4 minute read
0

I use Amazon Simple Storage Service (Amazon S3) to host my static website. I attached a bucket policy that limits access to only a specific Amazon Virtual Private Cloud (Amazon VPC). However, I can still access the website from public IP addresses.

Resolution

Before you troubleshoot the issue, be sure to complete the following steps:

  • Clear your web browser or proxy cache so that you view the latest configuration.
  • Confirm that the Amazon Elastic Compute Cloud (Amazon EC2) instance that you access the bucket from is in the same AWS Region as the bucket.
  • Associate the VPC endpoint to the route table of the EC2 instance that you use. This way, the traffic associates with the VPC ID that's referenced in the bucket policy.

Check the bucket policy

Confirm that the bucket policy allows access to the bucket from the VPC. To verify this, review the statements in your bucket policy. For example, the following bucket policy statement allows s3:GetObject on the condition that the request is from vpc-id123456.

{
  "Version": "2012-10-17",
  "Id": "Policy1",
  "Statement": [{
    "Sid": "Access-to-Trusted-VPC-only",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject*",
    "Resource": "arn:aws:s3:::awsexamplebucket/*",
    "Condition": {
      "StringEquals": {
        "aws:sourceVpc": "vpc-id123456"
      }
    }
  }]
}

Note: Static website hosting allows unauthenticated (anonymous) requests. However, if a user authenticates, then you can grant them access based on their credentials. For example, suppose that a user authenticates with an AWS Identity and Access Management (IAM) role that has full access to Amazon S3. This user can still download objects outside of the VPC, despite the following bucket policy. For a more restrictive bucket policy, see Restricting access to a specific VPC. Restricting access to a specific VPC denies access even to administrator or AWS account root users for requests that don't come from the VPC.

Check the object access control list (ACL)

After you confirm that the bucket policy is correct, check if any object ACLs allow public access. If some object ACLs allow public access and you want to override the ACLs, then take one of the following actions:

  • Configure the public access settings for the individual bucket or your AWS account.
  • Add an explicit deny statement to the bucket policy.

To override object ACLs, use the Amazon S3 console to configure the individual bucket's public access settings or your account's public access settings. Select the following options:

  • Block public access to buckets and objects granted through new access control lists (ACLs)
  • Block public access to buckets and objects granted through any access control lists (ACLs)

Note: You can also use AWS Command Line Interface (AWS CLI), an AWS SDK, or the Amazon S3 REST API to configure the bucket's public access settings. For more information, see Blocking public access to your Amazon S3 storage.

To use a bucket policy to override object ACLs, add a statement that explicitly denies actions when the request isn't from the VPC. For example, the following bucket policy includes a statement that explicitly denies s3:GetObject when the request isn't from vpc-id123456.

Warning: Because this example bucket policy includes an explicit deny statement, review the parameters for explicit denial of access before you save the policy. If you get accidentally locked out, then see How do I regain access to my Amazon S3 bucket after I accidentally denied everyone access?

{
  "Version": "2012-10-17",
  "Id": "Policy1",
  "Statement": [{
      "Sid": "Access-to-Trusted-VPC-only",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpc": "vpc-id123456"
        }
      }
    },
    {
      "Sid": "Deny-Access-Except-For-Trusted-VPC",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpc": "vpc-id123456"
        }
      }
    }
  ]
}

Related information

AWS Policy Generator

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago