20240824_JAWSPANKRATION2024_Restricting S3 Bucket Policies for Inbound Traffic from Athena

748 Views

August 24, 24

スライド概要

S3バケットポリシーでAthenaのFrom通信を出来る限り制限したい

・AthenaとS3間のアクセス許可は以下3つが利用可能
 ・IPアドレス
 ・CalledViaコンテキストキー
 ・IAM(ユーザ / ロール) ID
・VPC ID / VPCE IDでの制御は出来ない
・NATGatewayとIAMポリシーの設計が必要

profile-image

仕事:AWS運用保守&PM的なことをしています。 2023-24 Japan AWS All Certifications Engineers.

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

関連スライド

各ページのテキスト
1.

Restricting S3 Bucket Policies for Inbound Traffic from Athena JAWS PANKRATION 2024 TT-30 2024/08/24 12:20(GMT) Tatsuya Sato

2.

Tatsuya Sato @masno_soy Work iret Inc. ・Project Manager ・Infra Engineer Certification 2024 Japan AWS All Certifications Engineers Community JAWS-UG Streamers Member My Favorite AWS Service AWS Support

3.

Do you use Athena to analyze S3 server access logs?

4.

Introducing My Trial and Error Process... Enabling Athena Communication for an Access-Controlled S3 Bucket

5.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

6.

Structure and Objectives

7.

Structure and Objectives To put it simply, I want to allow only certain VPCs.

8.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

9.

Communication Control Methods Our focus today is to understand S3 Bucket Policy and relevant access control methods. The primary four methods are as follows : Control with VPC ID / VPCE ID Control with Global IP Control with CalledVia context keys Control with IAM User / IAM Role

10.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

11.

VPC ID / VPCE ID Failed Pattern .

12.

VPC ID / VPCE ID Failed Pattern According to the official AWS blog, VPC endpoints cannot be used. As stated in the AWS Security Blog : The subsequent calls between Athena and Amazon S3 don’t use the VPC endpoint. If I want to require that each call to Athena must use the VPC endpoint, I cannot apply the same restriction to Athena’s calls to Amazon S3. I will need to use aws:CalledVia to define distinct permissions for the initial call to Athena, and the call to Amazon S3 from Athena. (Source : How to restrict Amazon S3 bucket access to a specific IAM role)

13.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

14.

Global IP Exclude specific IP addresses from Deny conditions { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject*", "Resource": [ "arn:aws:s3:::MyS3ServerAccessLogsBucket", "arn:aws:s3:::MyS3ServerAccessLogsBucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] } } } Source communication results of Athena queries: OK Specified IP addresses NG Restricting to specific resources

15.

CalledVia context keys Exclude Athena traffic from Deny conditions ...(ellipsis) "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] }, "ForAnyValue:StringNotEquals": { "aws:CalledVia": "athena.amazonaws.com" } } (ellipsis)... Source communication results of Athena queries: OK Allow from all IP addresses NG Restricting to specific IP addresses, VPCs, or resources

16.

IAM User / IAM Role IDs Exclude Athena traffic from Deny conditions ...(ellipsis) "Condition": { "NotIpAddress": { "aws:SourceIp": [ "53.yy.yy.yy/32" ] }, "StringNotLike": { "aws:userid": [ "AXXXXXXXXXXXXXXXXXXX:*" ] } } (ellipsis)... Source communication results of Athena queries: OK Allow from all IP addresses NG Restricting to specific IP addresses or VPCs

17.

Verification Results Control with Global IP Control can be done at the VPC level Control with CalledVia context keys Allows all Athena communication Control with IAM User / IAM Role Control can be achieved at resource level IP control is required in IAM policy

18.

Key Takeaways IAM The most granular control can be achieved using IAM. However, IP restrictions must be enforced in IAM policies. Frequent changes in IAM users or roles can increase the operational burden. Global IP Using Global IP control likely offers the least operational burden. CalledVia context keys It is important to consider what level of risk and cost is acceptable.

19.

Agenda Structure and Objectives Communication Control Methods VPC ID / VPCE ID (* Failed Pattern) Global IP CalledVia context keys IAM User / IAM Role IDs Summary

20.

Summary Three methods can be used to permit access between Athena and S3: IP addresses CalledVia context key IAM (user/role) IDs Using VPC ID / VPCE ID is not possible Defining NAT Gateway (Global IP) and IAM policies is crucial

21.

Thank you for listening !

22.

Appendix References: # How to define least-privileged permissions for actions called by AWS services https://aws.amazon.com/jp/blogs/security/how-to-define-least-privileged-permissions-for-actions-called-by-awsservices/ # AWS global condition context keys > Properties of the request https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestproperties # Using Athena with CalledVia context keys https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena-calledvia.html # How to restrict Amazon S3 bucket access to a specific IAM role https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ # Restricting S3 Bucket Policies for Inbound Traffic from Athena https://soypocket.com/it/s3-ip-restrict-how-to-control-from-athena/