S3 IP address ACL broken

Using S3 ACL settings here: https://support.cloudflare.com/hc/en-us/articles/360037983412-Configuring-an-Amazon-Web-Services-static-site-to-use-Cloudflare

Sometime yesterday I started seeing 403 responses when accessing my S3 backed distribution.

Disabling the firewall completely on the S3 side resolves issue, and I see this on multiple distributions across multiple accounts, all on AWS us-east-1, so I suspect that there is a new IP address which CF is using which needs to be added to the ACL?

I enabled cloudtrace logging on the S3 bucket, and I found some access denied errors with source IP addresses inside of the whitelisted block.

I tried a few configurations, and it appears that S3 is now parsing the ACL differently. Any rule with a deny section results in 403s. Apparently if you have an allow section there is an implicit deny everything else. I don’t like implicit rules much, but this seems to work.

Here’s the config that worked for me:

Block all public access
Off

Bucket policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “PublicReadGetObject”,
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:GetObject”,
“Resource”: "arn:aws:s3:::DOMAIN/
”,
“Condition”: {
“IpAddress”: {
“aws:SourceIp”: [
“2400:cb00::/32”,
“2405:8100::/32”,
“2405:b500::/32”,
“2606:4700::/32”,
“2803:f800::/32”,
“2c0f:f248::/32”,
“2a06:98c0::/29”,
“103.21.244.0/22”,
“103.22.200.0/22”,
“103.31.4.0/22”,
“104.16.0.0/12”,
“108.162.192.0/18”,
“131.0.72.0/22”,
“141.101.64.0/18”,
“162.158.0.0/15”,
“172.64.0.0/13”,
“173.245.48.0/20”,
“188.114.96.0/20”,
“190.93.240.0/20”,
“197.234.240.0/22”,
“198.41.128.0/17”
]
}
}
}
]
}

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.