The effect of S3 PrivateLink on your Bucket Policies

In February of 2021 S3 PrivateLink went GA. One interesting behavior it introduced is you can use your VPC CIDRs now as a condition in your BucketPolicies. For instance, with S3 PrivateLink the aws:SourceIp key can be used to allow or deny access to your buckets.

As most people know, prior to S3 PrivateLink we had S3 Gateway Endpoints. The AWS documentation tells us that you can not use the aws:SourceIp context key with a gateway endpoint. Meaning, if you attempted to allow/deny access with a bucket policy the aws:SourceIp context key would not work.

What S3 PrivateLink now allows is you can setup conditions on your BucketPolicy based on SourceIP. For instance, I could block/allow access from a certain IP address or subnet.

10.1.100.187 cannot perform GetObject on this Bucket

Now when I try to do a GetObject from 10.1.100.187 which is connected to S3 via PrivateLink I get a permission error.

[ec2-user@ip-10–1–100–187 ~]$ aws s3 — endpoint-url https://bucket.<vpc-endpoint address> cp s3://my-bucket-name/test.txt .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

I haven’t tested this but I believe you could use the “aws:SourceIp” to setup policies based on your OnPrem address space as well — assuming you have DirectConnect.

One thing to keep in mind with this new capability. You must lockdown the Principals and should also use additional context keys available to you like aws:SourceVpce to prevent unintentional access.

What not to do
Match on the PrivateLink Endpoint + use the SourceIp key