I'm using Amazon Simple Storage Service (Amazon S3) to host my static website. I attached a bucket policy that limits access to the bucket so that only a specific Amazon Virtual Private Cloud (Amazon VPC) is allowed access. However, I'm still able to access the website from public IP addresses. How can I fix this?

Before you begin troubleshooting, be sure to confirm that:

  • Your web browser or proxy cache is cleared so that you're viewing the latest configuration.
  • The Amazon Elastic Compute Cloud (Amazon EC2) instance that you're accessing the bucket from is in the same AWS Region as the bucket.
  • The VPC endpoint is associated to the route table of the EC2 instance that you're using, so that the traffic is associated with the VPC ID referenced in the bucket policy.

Check the bucket policy

Review the statements in your bucket policy to confirm that the policy allows access to the bucket from the VPC. For example, the following bucket policy statement allows s3:GetObject on the condition that the request is from vpc-id123456:

Note: Although static website hosting allows unauthenticated (anonymous) requests, if a user does authenticate, then they can be granted access based on their credentials. For example, users who authenticate with an AWS Identity and Access Management (IAM) role that has full access to Amazon S3 can still download objects outside of the VPC, despite the following bucket policy. If you need a more restrictive bucket policy, see Restricting Access to a Specific VPC, which denies access even to administrator or AWS Account root users when the request doesn't come from the VPC.
{
  "Version": "2012-10-17",
  "Id": “Policy1 ",
  "Statement": [{
    "Sid": "Access-to-Trusted-VPC-only",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject*",
    "Resource": "arn:aws:s3:::awsexamplebucket/*",
    "Condition": {
      "StringEquals": {
        "aws:sourceVpc": "vpc-id123456"
      }
    }
  }]
}

Check the object access control list (ACL)

After you confirm that the bucket policy is correct, check if any object ACLs allow public access. If some object ACLs do allow public access and you want to override the ACLs, you can either configure the bucket's public access settings, or add an explicit deny statement to the bucket policy.

To override object ACLs by configuring the bucket's public access settings using the Amazon S3 console, select Remove public access granted through public ACLs. This setting overrides all existing or new public access granted by ACLs.

Note: You can also configure the bucket's public access settings using the AWS Command Line Interface (AWS CLI), an AWS SDK, or the Amazon S3 REST API. For more information, see Using Amazon S3 Block Public Access.

To override object ACLs using a bucket policy, add a statement that explicitly denies actions if the request isn't from the VPC. For example, this bucket policy includes a statement that explicitly denies s3:GetObject if the request is not from vpc-id123456:

{
  "Version": "2012-10-17",
  "Id": “Policy1 ",
  "Statement": [{
      "Sid": "Access-to-Trusted-VPC-only",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpc": "vpc-id123456"
        }
      }
    },
    {
      "Sid": "Deny-Access-Except-For-Trusted-VPC",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpc": "vpc-id123456"
        }
      }
    }
  ]
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-19