Blog History

September 11, 2020

S3 Bucket policy - restrict by IP, require HTTPS

The below S3 Bucket policy allows a Lambda function to access an S3 bucket via the VPCs NAT GW IP, while also ensuring only HTTPS requests are permitted. The more secure and less latency solution would be to use a VPC endpoint, but that would require the Lambda function to sit in a VPC that did not have internet access. When VPC resources see a NAT GW or IGW, it'll use public AWS endpoints rather than the VPCe. 

{
    "Version": "2012-10-17",
    "Id": "PolicyAllowLambdaNAT_GW_IP",
    "Statement": [
        {
            "Sid": "AllowLambdaNAT_GW_IP",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::lambda-bucket/*",
                "arn:aws:s3:::lambda-bucket"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                },
                "IpAddress": {
                    "aws:SourceIp": [
                        "1.2.3.4/32"
                    ]
                }
            }
        }
    ]
}​

No comments:

Post a Comment