20240824_JAWSPANKRATION2024_Restricting S3 Bucket Policies for Inbound Traffic from Athena

Restricting S3 Bucket Policies for Inbound Traffic from Athena JAWS PANKRATION 2024 TT-30 2024/08/24 12:20(GMT) Tatsuya Sato

Tatsuya Sato @masno_soy Work iret Inc. ・Project Manager ・Infra Engineer Certification 2024 Japan AWS All Certifications Engineers Community JAWS-UG Streamers Member My Favorite AWS Service AWS Support

Do you use Athena to analyze S3 server access logs?

Introducing My Trial and Error Process... Enabling Athena Communication for an Access-Controlled S3 Bucket

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

Structure and Objectives

Structure and Objectives To put it simply, I want to allow only certain VPCs.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

Communication Control Methods Our focus today is to understand S3 Bucket Policy and relevant access control methods. The primary four methods are as follows : Control with VPC ID / VPCE ID Control with Global IP Control with CalledVia context keys Control with IAM User / IAM Role

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

VPC ID / VPCE ID Failed Pattern .

VPC ID / VPCE ID Failed Pattern According to the official AWS blog, VPC endpoints cannot be used. As stated in the AWS Security Blog : The subsequent calls between Athena and Amazon S3 don’t use the VPC endpoint. If I want to require that each call to Athena must use the VPC endpoint, I cannot apply the same restriction to Athena’s calls to Amazon S3. I will need to use aws:CalledVia to define distinct permissions for the initial call to Athena, and the call to Amazon S3 from Athena. (Source : How to restrict Amazon S3 bucket access to a specific IAM role)

• https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

Global IP Exclude specific IP addresses from Deny conditions { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject*", "Resource": [ "arn:aws:s3:::MyS3ServerAccessLogsBucket", "arn:aws:s3:::MyS3ServerAccessLogsBucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] } } } Source communication results of Athena queries: OK Specified IP addresses NG Restricting to specific resources

CalledVia context keys Exclude Athena traffic from Deny conditions ...(ellipsis) "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] }, "ForAnyValue:StringNotEquals": { "aws:CalledVia": "athena.amazonaws.com" } } (ellipsis)... Source communication results of Athena queries: OK Allow from all IP addresses NG Restricting to specific IP addresses, VPCs, or resources

IAM User / IAM Role IDs Exclude Athena traffic from Deny conditions ...(ellipsis) "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] }, "StringNotLike": { "aws:userid": [ "AXXXXXXXXXXXXXXXXXXX:*" ] } } (ellipsis)... Source communication results of Athena queries: OK Allow from all IP addresses NG Restricting to specific IP addresses or VPCs

Verification Results Control with Global IP Control can be done at the VPC level Control with CalledVia context keys Allows all Athena communication Control with IAM User / IAM Role Control can be achieved at resource level IP control is required in IAM policy

Key Takeaways IAM The most granular control can be achieved using IAM. However, IP restrictions must be enforced in IAM policies. Frequent changes in IAM users or roles can increase the operational burden. Global IP Using Global IP control likely offers the least operational burden. CalledVia context keys It is important to consider what level of risk and cost is acceptable.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

Summary Three methods can be used to permit access between Athena and S3: IP addresses CalledVia context key IAM (user/role) IDs Using VPC ID / VPCE ID is not possible Defining NAT Gateway (Global IP) and IAM policies is crucial

Thank you for listening !

Appendix References: # How to define least-privileged permissions for actions called by AWS services https://aws.amazon.com/jp/blogs/security/how-to-define-least-privileged-permissions-for-actions-called-by-awsservices/ # AWS global condition context keys > Properties of the request https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestproperties # Using Athena with CalledVia context keys https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena-calledvia.html # How to restrict Amazon S3 bucket access to a specific IAM role https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ # Restricting S3 Bucket Policies for Inbound Traffic from Athena https://soypocket.com/it/s3-ip-restrict-how-to-control-from-athena/

• https://aws.amazon.com/jp/blogs/security/how-to-define-least-privileged-permissions-for-actions-called-by-aws-services/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-request-properties
• https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena-calledvia.html
• https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
• https://soypocket.com/it/s3-ip-restrict-how-to-control-from-athena/