Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Limit Bucket Access by IP Address

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon S3 buckets are configured to allow access only to specific (trusted) IP addresses in order to protect against unauthorized access. Prior to running this rule by the Trend Cloud One™ – Conformity engine, you have to provide the list of IPv4 addresses that are allowed to access your Amazon S3 buckets.

Security

Allowing untrustworthy access to your Amazon S3 buckets can lead to unauthorized actions such as viewing, uploading, modifying, or deleting S3 objects. To prevent S3 data exposure, data loss, unexpected charges on your AWS bill or you just want a central place to manage bucket access using bucket policies, you must ensure that your S3 buckets are accessible only to a short list of trusted IPs.

Because S3 bucket policies are limited to 20 KB in size, you must configure the conformity rule with a short list of trusted IP addresses.

Audit

To determine if the access to your Amazon S3 buckets is restricted to specific IP addresses via bucket policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, search the policy document attached to the S3 bucket for the "Condition" element. The "Condition" element lets you specify conditions for when a bucket policy is in effect. Within the "Condition" block you can build expressions in which you use operators to match the condition in the policy against the values in the request. The "Condition" element values can include the IP address of the requester, the date and time, the ARN of the request source, the user name, the user ID or the user agent of the requester. For compliance, the "Condition" element value must include trusted IP addresses. If the "Condition" element value does not include IP addresses (using aws:SourceIp condition key) or the "Condition" block is not defined within the policy document, the access to the selected Amazon S3 bucket is not restricted to specific (trusted) IP addresses in order to meet security and compliance requirements.

06 Repeat steps no. 3 – 5 for each Amazon S3 bucket that you want to examine, available in your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available within your AWS cloud account: 

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names: 

[
	"cc-prod-web-data",
	"cc-project5-data"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the bucket policy (JSON format) attached to the selected S3 bucket: 

aws s3api get-bucket-policy
  --bucket cc-prod-web-data
  --query Policy
  --output text

04 The command output should return the requested bucket policy document: 

{
	"Id": "cc-prod-bucket-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::cc-prod-web-data/*"
		}
	]
}

Check the policy document returned by the get-bucket-policy command output for the "Condition" element. The "Condition" element lets you specify conditions for when a bucket policy is in effect and can include the IP address of the requester, the date and time, the ARN of the request source, the user name, the user ID or the user agent of the requester. For compliance, the "Condition" element value must include trusted IP addresses. If the "Condition" element value does not include IP addresses (using aws:SourceIp condition key) or the "Condition" block is not defined within the policy document, the access to the selected Amazon S3 bucket is not restricted to trusted IP addresses in order to meet security and compliance requirements.

05 Repeat steps no. 3 and 4 for each Amazon S3 bucket that you want to examine created within your AWS cloud account.

Remediation / Resolution

To update the bucket policies attached to your Amazon S3 buckets in order to grant access to trusted IP addresses only, perform the following actions:

As an example, this rule section demonstrates how to grant permissions to specific (trusted) IPs to perform any S3 operations on objects within the selected bucket.

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Limit Bucket Access by IP Address",
	"Resources": {
		"S3Bucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-prod-web-data"
			}
		},
		"S3BucketPolicy": {
			"Type": "AWS::S3::BucketPolicy",
			"UpdateReplacePolicy": "Delete",
			"Properties": {
				"Bucket": "cc-prod-web-data",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
						  "Effect": "Allow",
						  "Principal": "*",
						  "Action": "s3:*",
						  "Resource": "arn:aws:s3:::cc-prod-web-data/*",
						  "Condition": {
							  "IpAddress": {
								  "aws:SourceIp": [
									  "10.0.0.15/32",
									  "10.0.0.28/32"
								  ]
							  }
						  }
						}
					]
				}
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Limit Bucket Access by IP Address
	Resources:
	S3Bucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-prod-web-data
	S3BucketPolicy:
		Type: AWS::S3::BucketPolicy
		UpdateReplacePolicy: Delete
		Properties:
		Bucket: cc-prod-web-data
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal: '*'
				Action: s3:*
				Resource: arn:aws:s3:::cc-prod-web-data/*
				Condition:
				IpAddress:
					aws:SourceIp:
					- 10.0.0.15/32
					- 10.0.0.28/32

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_s3_bucket" "s3-bucket" {
		bucket = "cc-prod-web-data"
	}

	resource "aws_s3_bucket_policy" "s3-bucket-policy" {
		bucket = aws_s3_bucket.s3-bucket.id
		policy = jsonencode({
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Principal": "*",
					"Action": "s3:*",
					"Resource": "arn:aws:s3:::cc-prod-web-data/*",
					"Condition": {
						"IpAddress": {
							"aws:SourceIp": [
								"10.0.0.15/32",
								"10.0.0.28/32"
							]
						}
					}
				}
			]
		})
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, choose Edit to modify the bucket policy attached to the selected bucket.

06 In the Policy editor box, make sure that the "Effect" element value is set to "Allow" , then append the following "Condition" block to the existing policy statement: "Condition": {"IpAddress": {"aws:SourceIp": ["10.0.0.15/32","10.10.10.5/32"] } }, where 10.0.0.15 and 10.10.10.5 are examples of trusted IPv4 addresses that can access the objects within the selected Amazon S3 bucket (replace the described IP(s) with your own trusted IP(s)). Choose Save changes to apply the changes. After the bucket policy has been successfully updated, only the requests that originate from the IP address(es) specified in the "Condition" block can reach the selected S3 bucket.

07 Repeat steps no. 3 – 6 to limit bucket access by IP address for otherAmazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Update the bucket policy attached to the Amazon S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource). Make sure that the "Effect" element value is set to "Allow" , then add the following "Condition" block to the existing policy statement: "Condition": {"IpAddress": {"aws:SourceIp": ["10.0.0.15/32","10.10.10.5/32"] } }, where 10.0.0.15 and 10.10.10.5 are examples of trusted IPv4 addresses that can access the selected Amazon S3 bucket (replace the described IP(s) with your own trusted IP(s)). Once your policy document is updated to include the "Condition" block, save the document to a JSON file named ipv4-based-access-policy.json. The following example contains a bucket policy that allows users that perform requests from the IP addresses 10.0.0.15 and 10.10.10.5 to perform any actions on the objects available within an Amazon S3 bucket identified by the ARN "arn:aws:s3:::cc-prod-web-data": 

{
	"Id": "cc-allow-trusted-ips-only",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::cc-prod-web-data/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": [
						"10.0.0.15/32",
						"10.10.10.5/32"
					]
				}
			}
		}
	]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) to replace the existing bucket policy attached to the specified Amazon S3 bucket with the policy modified at the previous step (if successful, the command request should not produce an output): 

aws s3api put-bucket-policy
  --bucket cc-prod-web-data
  --policy file://ipv4-based-access-policy.json

03 Repeat step no. 1 and 2 to limit bucket access by IP address for otherAmazon S3 buckets available within your AWS cloud account.

References

Publication date Dec 18, 2017

Related S3 rules