AWS Endpoint Policy for Trusted S3 Buckets

An AWS VPC Endpoint Policy for Amazon S3 controls who can access specific S3 buckets when using a VPC Endpoint. This is useful for restricting access to trusted AWS accounts, IAM roles, or specific resources.

📌 Use Case: SecureCart’s Trusted S3 Buckets

📌 Scenario: SecureCart stores customer order data and transaction logs in Amazon S3. To enhance security: ✔ Only SecureCart’s AWS accounts should access S3 via VPC Endpoints. ✔ Public access to S3 should be blocked. ✔ Only specific IAM roles should have read/write access to the bucket.

✅ Sample S3 VPC Endpoint Policy (Allow Only Trusted Accounts & IAM Roles)

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "123456789012"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

📌 Explanation of Policy:

🔹 Statement 1 (Allow Access for Trusted AWS Account) ✔ Allows all actions (s3:*) on SecureCart’s S3 bucket. ✔ Restricts access to SecureCart’s AWS Account (123456789012).

🔹 Statement 2 (Deny Unencrypted Requests) ✔ Blocks requests where TLS (SSL) is not used (aws:SecureTransport: false). ✔ Ensures all access to SecureCart’s S3 bucket happens over HTTPS only.

📌 Additional Enhancements

1️⃣ Restrict Access to Specific IAM Roles

jsonCopyEdit"Condition": {
  "ArnEquals": {
    "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess"
  }
}

🔹 Only allows IAM role SecureCartDataAccess to access the bucket.

2️⃣ Restrict Access to a Specific VPC

jsonCopyEdit"Condition": {
  "StringEquals": {
    "aws:SourceVpc": "vpc-abcdef123456"
  }
}

🔹 Ensures SecureCart’s S3 bucket is only accessible from a specific VPC.

3️⃣ Limit Access to Read-Only or Write-Only

Allow only read access (s3:GetObject) to certain roles.
Allow only write access (s3:PutObject) for specific workloads.

📌 Summary

🚀 This VPC Endpoint Policy ensures SecureCart’s S3 buckets are: ✔ Only accessible to SecureCart’s AWS account. ✔ Restricted to IAM roles that should access it. ✔ Only reachable from a trusted VPC. ✔ Forces encryption (TLS/SSL) for all requests.

Hands-On Guide: Implementing a Secure VPC Endpoint Policy for Trusted S3 Buckets in SecureCart’s AWS Environment

This guide walks through the step-by-step process of securing SecureCart’s Amazon S3 buckets using a VPC Endpoint Policy that ensures: ✔ Only SecureCart’s AWS account can access the bucket ✔ Only specific IAM roles can perform actions ✔ Access is restricted to a specific VPC ✔ Requests must use HTTPS (TLS/SSL)

📌 Step 1: Create a VPC Endpoint for Amazon S3

📌 Why? VPC Endpoints allow SecureCart’s S3 bucket to be accessed privately from within the VPC—without using the public internet.

✅ Actions:

1️⃣ Sign in to the AWS Management Console. 2️⃣ Navigate to VPC → Endpoints → Create Endpoint. 3️⃣ Select AWS Service and search for S3. 4️⃣ Choose the VPC where SecureCart’s applications are running. 5️⃣ Select the private subnets that need access. 6️⃣ Choose an appropriate security group (allowing outbound HTTPS traffic). 7️⃣ Click Create Endpoint.

✅ Result: A new VPC endpoint is created, allowing S3 access from within the VPC.

📌 Step 2: Attach a Secure Endpoint Policy

📌 Why? The endpoint policy restricts who can access S3 via the VPC Endpoint.

✅ Actions:

1️⃣ Navigate to the VPC Endpoint you just created. 2️⃣ Click Policy → Edit Policy. 3️⃣ Copy and paste the following policy (adjusting AWS Account ID, VPC ID, and IAM role names).

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "123456789012"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

✔ Restricts access to SecureCart’s AWS Account (123456789012) ✔ Denies requests that are not encrypted (HTTPS required)

4️⃣ Click Save.

✅ Result: Now, only SecureCart’s trusted AWS account can access the bucket, and unencrypted requests are denied.

📌 Step 3: Restrict Access to Specific IAM Roles

📌 Why? Only authorized IAM roles should have access.

✅ Actions:

1️⃣ Edit the VPC Endpoint Policy. 2️⃣ Add the IAM Role Restriction:

jsonCopyEdit"Condition": {
  "ArnEquals": {
    "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess"
  }
}

📌 Example Updated Policy

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "123456789012"
        },
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

✅ Result: ✔ Only the IAM role SecureCartDataAccess can access the bucket. ✔ No unauthorized IAM roles or users can access it.

📌 Step 4: Enforce Access from a Specific VPC

📌 Why? Ensure S3 is only accessible from SecureCart’s trusted VPC.

✅ Actions:

1️⃣ Edit the VPC Endpoint Policy. 2️⃣ Add the VPC Restriction:

jsonCopyEdit"Condition": {
  "StringEquals": {
    "aws:SourceVpc": "vpc-abcdef123456"
  }
}

📌 Example Updated Policy

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "123456789012",
          "aws:SourceVpc": "vpc-abcdef123456"
        },
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-private-bucket",
        "arn:aws:s3:::securecart-private-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

✅ Result: ✔ Only requests originating from SecureCart’s VPC (vpc-abcdef123456) are allowed. ✔ Even if an IAM role is authorized, access from an external network is denied.

📌 Step 5: Test & Validate the Secure Setup

📌 Why? Ensure SecureCart’s security restrictions are working.

✅ Actions:

1️⃣ Try accessing S3 from an unauthorized IAM user → Request should be denied. 2️⃣ Try accessing S3 without HTTPS → Request should be denied. 3️⃣ Access S3 from a trusted IAM role & VPC → Request should be allowed. 4️⃣ Monitor AWS CloudTrail logs to verify access patterns.

✅ Final Result: SecureCart’s S3 bucket is now fully locked down, allowing only trusted accounts, IAM roles, and VPC access while enforcing TLS encryption.

📌 Summary

🚀 SecureCart’s Trusted S3 VPC Endpoint Setup Achieves: ✔ Secure access without exposing S3 to the public internet. ✔ IAM Role-based access control for granular security. ✔ Restricts access to a specific AWS VPC. ✔ Forces HTTPS encryption to prevent data leaks.

PreviousUse Cases NextIncreasing Fault Tolerance for AWS Direct Connect in SecureCart’s Multi-VPC Network

Last updated 24 days ago