7

I want to restrict the outbound security group from an EC2 instance. The instance only needs to access an S3 bucket. I just learned that S3 uses port HTTPS (443). I could just put that rule in place to allow any connection to any ip as long as it is HTTPS, but is it possible to just allow the EC2 instance to access the S3? Is there any ip connected to the S3 bucket or can I set one?

Improve this question

5 Answers 5

Reset to default
3

is it possible to just allow the EC2 instance to access the S3? Is there any ip connected to the S3 bucket or can I set one?

S3 uses many IPs. I suspect it would be difficult to nail down a list of them all. Additionally, there is no IP-to-bucket mapping, and it is not possible for you to specify an IP for a bucket. S3 is a managed service that AWS runs, and they have sole full control over their IP address usage for the service.

If you need to filter at this level, the easiest thing to do is to use a forward proxy (like squid) with a default deny ACL and then allowing only access to the S3 domain.

Improve this answer
4
  • Many thanks, I was kind of expecting that answer, but I was hoping for something better... Amazon should make another type of S3 which lives more inside of an VPC which makes security much easier IMO. Commented Mar 30, 2015 at 18:16
  • VPCs are built to be truly private. It would go against that to have them provide access to a service like S3 within the VPC. In regards to your last statement - security is never easy. And if it is, you're doing it wrong. Commented Mar 30, 2015 at 18:18
  • Here are the S3 endpoints: docs.aws.amazon.com/general/latest/gr/rande.html#s3_region Commented Mar 30, 2015 at 20:21
  • ... and you can use the prefix list ids (pl-XXXX) in the security groups to restrict access :) Commented Apr 24, 2017 at 9:59
7

You may want to use VPC endpoints here.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

"A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT instance, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic."

Improve this answer
2
  • I agree with VPC endpoints, but how to configure security group to allow outbound access to ONLY S3 buckets ? Commented Jan 31, 2020 at 10:40
  • I found this great answer that explains how to do it serverfault.com/a/726419/454698 Commented Jan 31, 2020 at 10:57
1

AWS provides a list of their public IP ranges via JSON. (perhaps other formats as well, but I'm not certain.) Building a tool to ensure the JSON is parsed and the proper firewall rules are applied should be relatively straightforward. Please see the following blog article for further information. :)

https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/

Improve this answer
2
  • The IP address ranges do not specify S3 endpoints. Commented Mar 30, 2015 at 20:20
  • Are you suggesting that the s3 endpoints lie outside of the region blocks? I don't know for certain, but I'm pretty sure that the s3 endpoints for each region are within those blocks. Have you tried it without success? Commented Mar 31, 2015 at 18:28
1

Building off of this answer, the AWS IP Ranges available in JSON here (https://ip-ranges.amazonaws.com/ip-ranges.json) now specify which services is available from which IP ranges (S3 has 136 entries as of writing this).

Therefore, if you have a security group with those entries, you could whitelist S3 as a service. The list will change and may include other AWS services, but it is a start.

Improve this answer
0

USE BELOW CURL CALL & REPLACE REGION curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="S3") | .ip_prefix'

Improve this answer

You must log in to answer this question.