{"id":2267,"date":"2021-04-06T18:21:14","date_gmt":"2021-04-06T15:21:14","guid":{"rendered":"https:\/\/artem.services\/?p=2172"},"modified":"2022-06-08T21:06:14","modified_gmt":"2022-06-08T18:06:14","slug":"2267","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=2267&lang=en","title":{"rendered":"\u00a0AWS — S3: Allow public access to objects over VPN"},"content":{"rendered":"

\"\"<\/p>\n

Goal:<\/h3>\n

Allow public read access for all objects in the S3<\/strong> bucket only using a VPN<\/strong> connection, objects must be non-public to connect from the world.<\/span><\/span> OpenVPN<\/strong> is used as a VPN<\/strong> service, which can be deployed anywhere, so we will build an allow a rule to check the IP<\/strong> address.<\/span><\/span><\/span><\/p>\n

 <\/p>\n

First you need to find out the list of networks that belong to the endpoints of the S3 service in the region we need, so as not to wrap all traffic through the VPN.<\/span><\/span> To do this, download the current list of networks<\/a> and parse it:<\/span><\/span><\/span><\/p>\n

\r\njq '.prefixes[] | select(.region=="eu-central-1") | select(.service=="S3") | .ip_prefix' < ip-ranges.json\r\n<\/pre>\n
 <\/p>\n
Where, "eu-central-1<\/strong>" is the region where the necessary S3 bucket is located.<\/span><\/span><\/span><\/p><\/blockquote>\n
 <\/p>\n
You should get an output like:<\/span><\/span><\/span><\/p>\n
\r\n"52.219.170.0\/23"\r\n"52.219.168.0\/24"\r\n"3.5.136.0\/22"\r\n"52.219.72.0\/22"\r\n"52.219.44.0\/22"\r\n"52.219.169.0\/24"\r\n"52.219.140.0\/24"\r\n"54.231.192.0\/20"\r\n"3.5.134.0\/23"\r\n"3.65.246.0\/28"\r\n"3.65.246.16\/28"\r\n<\/pre>\n
 <\/p>\n
Now we translate the subnet mask into a 4-byte format and add the parameters to the OpenVPN<\/strong> server configuration as "push<\/strong>" parameters:<\/span><\/span><\/span><\/p>\n
\r\npush "route 52.219.170.0 255.255.254.0"\r\npush "route 52.219.168.0 255.255.255.0"\r\npush "route 3.5.136.0 255.255.252.0"\r\npush "route 52.219.72.0 255.255.252.0"\r\npush "route 52.219.44.0 255.255.252.0"\r\npush "route 52.219.169.0 255.255.255.0"\r\npush "route 52.219.140.0 255.255.255.0"\r\npush "route 54.231.192.0 255.255.240.0"\r\npush "route 3.5.134.0 255.255.254.0"\r\npush "route 3.65.246.0 255.255.255.240"\r\npush "route 3.65.246.16 255.255.255.240"\r\n<\/pre>\n
 <\/p>\n
We restart the OpenVPN<\/strong> server service and after reconnecting we should get a list of required networks and traffic that will go through the VPN<\/strong> connection.<\/span><\/span><\/span><\/p>\n
 <\/p>\n
Now it remains to add the following policy to the S3<\/strong> bucket:<\/span><\/span><\/span><\/p>\n
\r\n{\r\n    "Version": "2012-10-17",\r\n    "Statement": [\r\n        {\r\n            "Sid": "Allow only from VPN",\r\n            "Effect": "Allow",\r\n            "Principal": "*",\r\n            "Action": [\r\n                "s3:GetObject",\r\n                "s3:ListBucket"\r\n            ],\r\n            "Resource": [\r\n                "arn:aws:s3:::artem-services",\r\n                "arn:aws:s3:::artem-services\/*"\r\n            ],\r\n            "Condition": {\r\n                "IpAddress": {\r\n                    "aws:SourceIp": "1.2.3.4"\r\n                }\r\n            }\r\n        }\r\n    ]\r\n}\r\n<\/pre>\n
 <\/p>\n
Where, "artem-services<\/strong>" is the name of the S3<\/strong> bucket and "1.2.3.4<\/strong>" is the IP<\/strong> address of the OpenVPN<\/strong> server.<\/span><\/span><\/span><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
Goal: Allow public read access for all objects in the S3 bucket only using a VPN connection, objects must be non-public to connect from the world. OpenVPN is used as a VPN service, which can be deployed anywhere, so we will build an allow a rule to check the IP address.   First you need … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "\u00a0AWS — S3: Allow public access to objects over VPN"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[599],"tags":[543,1337,483,1843],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2267"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2267"}],"version-history":[{"count":2,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions"}],"predecessor-version":[{"id":2269,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions\/2269"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}