I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy):
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-access-only-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbccc"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbddd"
}
},
"Principal": "*"
}
]
}
If I use this:
"StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.
Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": [
"vpc-111bbccc",
"vpc-111bbddd"
]
},