Join Log in
Score:1
avatar Server

S3 policy to allow by IP can't be changed

ua flag
Tim Tisdall

We have an S3 bucket with website content in it that's served to the public through a proxy cache. The access to the bucket is limited to the IPs used by the proxy. This is all working fine.

New IPs were recently added to the proxy, but we're not able to add those to the policy. Directly editing the policy gives a "permission denied" no matter what permissions the user has. We discovered that we could work around this by temporarily unblocking public access to the bucket. However, if we add new IPs, after re-blocking public access we discover that all requests are blocked. If we revert the changes to the policy back to the original list of IPs then it goes back to working.

The policy is fairly basic and looks like this (edited for privacy):

{
    "Version": "2012-10-17",
    "Id": "my-bucket",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "23.235.32.0/20",
                        "43.249.72.0/22",
                        "103.244.50.0/24",
                        "103.245.222.0/23",
                        "103.245.224.0/24",
                        "104.156.80.0/20",
                        "140.248.64.0/18",
                        "140.248.128.0/17",
                        "146.75.0.0/17",
                        "151.101.0.0/16",
                        "157.52.64.0/18",
                        "167.82.0.0/17",
                        "167.82.128.0/20",
                        "167.82.160.0/20",
                        "167.82.224.0/20",
                        "172.111.64.0/18",
                        "185.31.16.0/22",
                        "199.27.72.0/21",
                        "199.232.0.0/16",
                        "2a04:4e40::/32",
                        "2a04:4e42::/32"
                    ]
                }
            }
        }
    ]
}
32
0 + 0
ua flag
Tim Tisdall
After a lot of trial-and-error, it seems like things fail when we have 2 IPv6 ranges at the end of the list.
0
Reply
cn flag
shearn89
That sounds like an escaping error or bug to me!
0
Reply
cn flag
shearn89
What netmask did the IPv6 ranges have?
0
Reply
ua flag
Tim Tisdall
@shearn89 - I've updated the question with the actual IPs used. It's taken from Fastly's list of public IP addresses.
0
Reply
Score:0
avatar Server
cn flag
shearn89

I think you might be bumping into this.

I believe if you have a large list of IPs, and you have block public access turned on at the account level, then you run into this edge case.

With BPA turned on, S3 checks policies to prevent people allowing 0/0 or similar. For large enough IP ranges or lists, the checks that S3 uses behind the scenes to determine 'public' will have too wide a range to check, and will time out or error.

If you can narrow down some of your ranges, or find another way to protect the data, you should be okay.

0 + 0
ua flag
Tim Tisdall
I've updated the question. We have 21 ranges. We found dropping the last one allowed it to work so thought perhaps 2 IPv6 caused a problem, but maybe the problem is you can't have more than 20? This all seems like some really terrible design choices on AWS's side if you get no syntax issues when saving the policy.
0
Reply
ua flag
Tim Tisdall
Actually, I we had around 17-18 before and adding a single IPv6 in one test seemed to cause it to fail.
0
Reply
cn flag
shearn89
I think a `/32` IPv6 is the limit for IPv6, so having multiple IPv6 ranges is the problem. I would suggest reaching out to AWS support if you have it to raise a ticket - potentially additional feedback that could help make it clearer.
0
Reply
cn flag
shearn89
I suspect if you just had the 2 IPv6 ranges and no IPv4 you'd still hit the problem, it's not a list-length issue but a size-of-range allowed issue!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.