Bucket Policy for IP Restrictions Not Working

Security
#1

Hi All,

Pretty simple issue here that I can’t figure out… I have some static content hosted in S3 that I would like to only allow access to from Cloudflare. I’ve configured a bucket policy according to the instructions:

https://support.cloudflare.com/hc/en-us/articles/360037983412-Configuring-an-Amazon-Web-Services-static-site-to-use-Cloudflare

The issue is, public access is still allowed even though I’m using the bucket policy. It’s simply not really doing anything.

I would assume that the cloudflare proxy (https://cloudflare.vmlab.me) would work and the bucket endpoint website (http://cloudflare.vmlab.me.s3-website-us-east-1.amazonaws.com/) would fail if using the policy but that doesn’t appear to be the case.

Does anyone have any suggestions on where this went wrong?

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "PublicReadGetObject",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject*",
			"Resource": "arn:aws:s3:::cloudflare.vmlab.me/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": [
						"2400:cb00::/32",
						"2606:4700::/32",
						"2803:f800::/32",
						"2405:b500::/32",
						"2405:8100::/32",
						"2a06:98c0::/29",
						"2c0f:f248::/32",
						"173.245.48.0/20",
						"103.21.244.0/22",
						"103.22.200.0/22",
						"103.31.4.0/22",
						"141.101.64.0/18",
						"108.162.192.0/18",
						"190.93.240.0/20",
						"188.114.96.0/20",
						"197.234.240.0/22",
						"198.41.128.0/17",
						"162.158.0.0/15",
						"172.64.0.0/13",
						"131.0.72.0/22",
						"104.16.0.0/13",
						"104.24.0.0/14"
					]
				}
			}
		}
	]
}
#2

Also:

image
image2746×827 165 KB

image
image2741×1427 232 KB

image
image2742×898 127 KB

#3

I solved this. Had to change the bucket policy to an explicit deny except CF IPs plus IAM root user. In other words, CF’s internal support document was not correct.

The support article I used for the revised bucket was the following:

https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCloudflareOnly",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::cloudflare.vmlab.me",
				"arn:aws:s3:::cloudflare.vmlab.me/*"
			],
			"Condition": {
				"StringNotLike": {
					"aws:userid": "375481576207"
				},
				"NotIpAddress": {
					"aws:SourceIp": [
						"2400:cb00::/32",
						"2606:4700::/32",
						"2803:f800::/32",
						"2405:b500::/32",
						"2405:8100::/32",
						"2a06:98c0::/29",
						"2c0f:f248::/32",
						"173.245.48.0/20",
						"103.21.244.0/22",
						"103.22.200.0/22",
						"103.31.4.0/22",
						"141.101.64.0/18",
						"108.162.192.0/18",
						"190.93.240.0/20",
						"188.114.96.0/20",
						"197.234.240.0/22",
						"198.41.128.0/17",
						"162.158.0.0/15",
						"172.64.0.0/13",
						"131.0.72.0/22",
						"104.16.0.0/13",
						"104.24.0.0/14"
					]
				}
			}
		}
	]
}
#4

Ran into the same problem, and also found a possibly related issue from October 2020. S3 IP address ACL broken

I would get 403 errors from S3 using the suggested bucket policy under “Configure bucket policies to allow Cloudflare IP addresses” in this support article: https://support.cloudflare.com/hc/en-us/articles/360037983412-Configuring-an-Amazon-Web-Services-static-site-to-use-Cloudflare

Fwiw, the article shows updated 1 month ago.

In addition to unchecking all of the “Block Public Access” checkboxes in the bucket permissions, flipping “Deny” to “Allow” seems to work.

Change: "Effect": "Deny",
To: "Effect": "Allow",

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "PublicReadGetObject",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME-HERE>/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": [
						"2400:cb00::/32",
						"2606:4700::/32",
						"2803:f800::/32",
						"2405:b500::/32",
						"2405:8100::/32",
						"2a06:98c0::/29",
						"2c0f:f248::/32",
						"173.245.48.0/20",
						"103.21.244.0/22",
						"103.22.200.0/22",
						"103.31.4.0/22",
						"141.101.64.0/18",
						"108.162.192.0/18",
						"190.93.240.0/20",
						"188.114.96.0/20",
						"197.234.240.0/22",
						"198.41.128.0/17",
						"162.158.0.0/15",
						"172.64.0.0/13",
						"131.0.72.0/22",
						"104.16.0.0/13",
						"104.24.0.0/14"
					]
				}
			}
		}
	]
}

With the above bucket policy in place and no other deviations from the Cloudflare support article things are working. Public access to my bucket seems to be disallowed, and only Cloudflare IP’s can access it. It feels a little strange not having any Deny rules in there, but seems to be implicit. The S3 console shows the big red “Public” warning, but the bucket policy does not allow public access.

I think there’s something about access to objects by the owner who uploads them, but I got a little lost in that AWS documentation. :slight_smile:

1 Like