Logo of Trend Micro

Limit S3 Bucket Access by IP Address

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your AWS S3 buckets are configured using policies to allow access only to specific (trusted) IP addresses in order to protect against unauthorized access. Prior to running this rule by the Cloud Conformity engine you need to configure the rule and provide the list of public IPv4 addresses that are allowed to access your S3 buckets.

Security

Allowing untrustworthy access to your AWS S3 buckets can lead to unauthorized actions such as viewing, uploading, modifying or deleting S3 objects. To prevent S3 data exposure, data loss, unexpected charges on your AWS bill or you just want a central place to manage your buckets access using policies, you need to ensure that your S3 buckets are accessible only to a short list of safelisted IPs.

Note: Since S3 Bucket policies are limited to 20 KB in size, you must configure the rule with a short list of trusted IP addresses.

Audit

To determine if the access to your S3 buckets is restricted to specific IP addresses via bucket policies, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click on the bucket name (link) to access its configuration page.

04 On the bucket configuration page, click Permissions to access the permissions panel.

05 Now click Bucket policy to access the bucket access policy currently in use.

06 Inside the Bucket Policy Editor box, search for the Condition policy element. The Condition element lets you specify conditions for when a bucket policy is in effect. Within Condition block you build expressions in which you use operators to match the condition in the policy against the values in the request. The Condition values can include the IP address of the requester, date, time, the ARN of the request source, the user name, the user ID or the user agent of the requester. For this conformity rule, the Condition element values must include IP addresses. If the Condition element value does not include IP addresses (using aws:SourceIp condition key) or the Condition block is not defined within the policy document, the access to the selected Amazon S3 bucket is not restricted to specific (trusted) IP addresses and can be marked as insecure.

07 Repeat steps no. 3 - 6 to verify the access policies defined for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets created within your AWS account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of the S3 buckets available across all AWS regions: 

[
    "cc-webapp-backups",
    "cc-internal-repo",
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) to retrieve the bucket policy defined for selected S3 bucket and copy its content into a JSON file named s3-bucket-access-policy.json (the command does not produce an output): 

aws s3api get-bucket-policy
	--bucket cc-webapp-backups
	--query Policy
	--output text > s3-bucket-access-policy.json

04 Open the s3-bucket-access-policy.json file in your preferred text editor. The policy document extracted with the get-bucket-policy command should look like this: 

{
    "Id": "Policy1477065434589",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1477065432331",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cc-webapp-backups/*"
        }
    ]
}

Search the opened policy document for the Condition policy element. The Condition element lets you specify conditions for when a bucket policy is in effect. Within Condition block you build expressions in which you use operators to match the condition in the policy against the values in the request. The Condition values can include the IP address of the requester, date, time, the ARN of the request source, the user name, the user ID or the user agent of the requester. For this conformity rule, the Condition element values must include IP addresses. If the Condition element value does not include IP addresses (using aws:SourceIp condition key) or the Condition block is not defined within the policy document, the access to the selected Amazon S3 bucket is not restricted to specific IP addresses, therefore the bucket can be marked as insecure.

05 Repeat step no. 3 and 4 to check the access policies defined for other S3 buckets available in your AWS account.

Remediation / Resolution

To update your Amazon S3 buckets policy in order to grant access only to specific (trusted) IP addresses, perform the following:

Note: As example, this rule section demonstrates how to grant permissions to specific IPs to perform any S3 operations on objects within the selected bucket.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to reconfigure and click on the bucket name (link) to access its settings page.

04 On the bucket settings page, click Permissions to access the permissions panel.

05 Click Bucket policy to access the bucket access policy in use.

06 Within Bucket Policy Editor box, make sure the Effect element value is set to "Allow", then append the following Condition block to the policy Statement element: "Condition": {"IpAddress": {"aws:SourceIp": ["54.197.25.93/32","54.240.143.3/32"] } }, where 54.197.25.93 and 54.240.143.3 are examples of trusted IP addresses that can access the selected S3 bucket objects (replace the described IP(s) with your own trusted IP(s)).

07 Click Save to apply the policy changes. Once the bucket policy has been successfully updated, only the requests that originate from the IP addresses specified in the Condition block can reach the selected S3 bucket.

08 Repeat steps no. 3 - 7 to restrict access to specific IP(s) via bucket policies for other S3 buckets available in your AWS account.

Using AWS CLI

01 First, you need to edit your S3 bucket access policy to add the necessary Condition block and save it within a JSON document named ip-based-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom S3 access policies. The following example contains an S3 policy document that allows the users that perform requests from the following IP addresses: 54.197.25.93 and 54.240.143.3, to perform any actions on the objects stored within an S3 bucket identified by the ARN "arn:aws:s3:::cc-webapp-backups": 

{
    "Id": "IPLimitedAccessPolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowTrustedIPs",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cc-webapp-backups/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "54.197.25.93/32",
                        "54.240.143.3/32"
                    ]
                }
            }
        }
    ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure (see Audit section part II to identify the right bucket) to replace the existing access policy with the one defined at the previous step, i.e. ip-based-access-policy.json, (the command does not produce an output): 

aws s3api put-bucket-policy
	--bucket webapp-file-backups
	--policy file://s3-cross-account-access-policy.json

03 Repeat step no. 1 and 2 to restrict access to specific IP(s) via bucket policies for other S3 buckets available within your AWS account.

References

Publication date Dec 18, 2017

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Limit S3 Bucket Access by IP Address

Risk level: Medium