ablog

不器用で落着きのない技術者のメモ

VPCE ポリシーで S3 アクセスポイントへのアクセスを許可する

AWS

VPC エンドポイントポリシーで S3 アクセスポイントへのアクセスを許可する場合、Resource 句に S3 アクセスポイントだけでなく、S3 バケットも含める必要がある。

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files", ★ オブジェクトの ls に必要
                "arn:aws:s3:::system1-if-files/*", ★ファイルの Get/Put に必要
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1", ★オブジェクトの ls に必要
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"  ★ファイルの Get/Put に必要
            ]
        }
    ]
}

検証結果

#	テストケース	Get	Put	ls
1	arn:aws:s3:::system1-if-files なし	○	○	✕
2	arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし	○	○	✕
3	arn:aws:s3:::system1-if-files/* なし	✕	✕	○
4	arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし	✕	✕	○
5	全部入り	○	○	○
6	全部入りのアクセスポイント/* バージョン	○	○	○

1. arn:aws:s3:::system1-if-files なし

VPCエンドポイントポリシー（バケットなし）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}

ls がエラー

[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

2. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1 なし

VPCエンドポイントポリシー（アクセスポイントなし）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}

ls がエラー

[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

3. arn:aws:s3:::system1-if-files/* なし

VPCエンドポイントポリシー（バケット/* なし）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}

Get/Put がエラー

[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:04:56  100000000 100mb.dat

4. arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/* なし

VPCエンドポイントポリシー（アクセスポイント/object/* なし）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1"
            ]
        }
    ]
}
-Get/Put がエラー
>|sh|
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload failed: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:04:56  100000000 100mb.dat

全部入り

VPCエンドポイントポリシー（全部入り）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/object/*"
            ]
        }
    ]
}

全て成功

[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:13:40  100000000 100mb.dat

全部入りのアクセスポイントで object/* なしバージョン

VPCエンドポイントポリシー（アクセスポイントで object/* なし）

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::system1-if-files",
                "arn:aws:s3:::system1-if-files/*",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1",
                "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/*"
            ]
        }
    ]
}

全て成功

[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp 100mb.dat s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
upload: ./100mb.dat to s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 cp s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat ./ --profile profile-if-pf
download: s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/100mb.dat to ./100mb.dat
[ec2-user@ip-172-32-1-222 ~]$ aws s3 ls s3://arn:aws:s3:ap-northeast-1:123456789012:accesspoint/ap-system1/dir1/dir2/ --profile profile-if-pf
2021-09-04 14:14:34  100000000 100mb.dat

参考

The following example policy statement configures a VPC endpoint to allow calls to GetObject for a bucket named awsexamplebucket1 and an access point named example-vpc-ap.
{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Principal": "*",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::awsexamplebucket1/*",
            "arn:aws:s3:us-west-2:123456789012:accesspoint/example-vpc-ap/object/*"
        ]
    }]
}
Creating access points restricted to a virtual private cloud - Amazon Simple Storage Service

S3 アクセスポイントのポリシーで間違いやすいのは S3 アクセスポイントの ARN の後に "/object/" のつけ忘れ。