Forum Discussion

Madan's avatar
Madan
Icon for Bronze I rankBronze I
4 days ago

S3: Demonstrate Your Skills

I have completed all 10 questions except question 6.

6. Access control

Create an access point (AP) called metrolio-dev-ap attached to the metrolio-data-467e6352 bucket.

This should allow developers working in the dev vpc vpc-08333ea4fc7562479 using the role arn:aws:iam::447645673093:role/metrolio-developer to list and get all objects in the bucket.

Ensure you follow best practices of blocking public access.

NOTE: AWS often faces internal errors ā€“ we believe these to be race conditions ā€“ when applying policies to new access points. You may need to re-apply the policy to the AP.

I have re-applied the Access Point policy several times but still is not detected.

Iā€™m not sure if it is my Access Point policy or the AWS Immersivelabs that is at fault. Any help would be greatly appreciated.

This is my Access Point Policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::447645673093:role/metrolio-developer"

            },

            "Action": [

                "s3:GetObject",

                "s3:ListBucket"

            ],

            "Resource": [

                "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap/object/*",

                "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap"

            ],

            "Condition": {

                "StringEquals": {

                    "aws:SourceVpc": "vpc-08333ea4fc7562479"

                }

            }

        }

    ]

}

I tried to replicate similar permissions on bucket policy only to be denied by restrictive permission.

NOTE: Account ID, Bucket names and few other identifiers do not match between screenshot 1-2 and screenshot 3. The screenshot 3 is from different attempt.

 

cloud security
defensive cyber
immersive labs

1 Reply

Sort By
  • OisinB's avatar
    OisinB
    Icon for Immerser rankImmerser
    4 hours ago

    Morning Madan,

    You're very nearly there! You just need to remove the condition block from your access point policy statement. It's not necessary when you have already set the access point's network origin to be a specific VPC.

    Although the `aws:SourceVpc` condition can also restrict access to a specific VPC, it functions differently. Specifying a network origin creates a network-level restriction on the access point, whereas using a condition creates a policy-level restriction. This can be especially important if an access point policy is using `Deny` as the effect, because requests from outside of AWS VPCs (e.g., over the internet) won't have an `aws:SourceVpc` context key, so conditions may not be met as expected, providing unintended access.

    Therefore, from a security perspective, it's encouraged to restrict access to the access point by setting the network origin, which gives network-level isolation. 

    Hope this helps, and well done on completing the rest of the tasks šŸ˜„