ablog

不器用で落着きのない技術者のメモ

VPCE ポリシーで S3 アクセスポイントへのアクセスを許可する

VPC エンドポイントポリシーで S3 アクセスポイントへのアクセスを許可する場合、Resource 句に S3 アクセスポイントだけでなく、S3 バケットも含める必要がある。

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files", ★ オブジェクトの ls に必要
                "arn:aws:s3:::system1-if-files/*", ★ファイルの Get/Put に必要
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", ★オブジェクトの ls に必要
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"  ★ファイルの Get/Put に必要
            ]
        }
    ]
}

検証結果

# テストケース Get Put ls
1 arn:aws:s3:::system1-if-files なし
2 arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし
3 arn:aws:s3:::system1-if-files/* なし
4 arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし
5 全部入り
6 全部入りのアクセスポイント/* バージョン
1. arn:aws:s3:::system1-if-files なし
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}
  • ls がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
2. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし
  • VPCエンドポイントポリシー(アクセスポイントなし)
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}
  • ls がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
3. arn:aws:s3:::system1-if-files/* なし
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}
  • Get/Put がエラー
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:04:56  100000000 100mb.dat
4. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし
  • VPCエンドポイントポリシー(アクセスポイント/object/* なし)
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1"
            ]
        }
    ]
}
-Get/Put がエラー
>|sh|
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:04:56  100000000 100mb.dat
全部入り
  • VPCエンドポイントポリシー(全部入り)
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}
  • 全て成功
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:13:40  100000000 100mb.dat
全部入りのアクセスポイントで object/* なしバージョン
  • VPCエンドポイントポリシー(アクセスポイントで object/* なし)
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/*"
            ]
        }
    ]
}
  • 全て成功
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:14:34  100000000 100mb.dat

参考

The following example policy statement configures a VPC endpoint to allow calls to GetObject for a bucket named awsexamplebucket1 and an access point named example-vpc-ap.

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Principal": "*",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::awsexamplebucket1/*",
            "arn:aws:s3:us-west-2:123456789012:accesspoint/example-vpc-ap/object/*"
        ]
    }]
}
Creating access points restricted to a virtual private cloud - Amazon Simple Storage Service

S3 アクセスポイントのポリシーで間違いやすいのは S3 アクセスポイントの ARN の後に "/object/" のつけ忘れ。