I want my S3 bucket to be accessible in two ways:
- Via the console when I'm logged in, so I can modify files
- Via EC2 instances in a certain VPC (IAM roles are set up correctly for this)
Here's the bucket policy I'm using:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Principal-Access",
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<my c_id>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-keys",
"arn:aws:s3:::my-keys/*"
]
},
{
"Sid": "Access-to-specific-VPCE-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-keys",
"arn:aws:s3:::my-keys/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-<my_vpce_id>"
}
},
"Principal": "*"
}
]
}
This works for access from the VPC, but not for me logged in at the console. Obviously I can remove the bucket policy, make changes, then reapply it, but I'd rather not...
Do you have a specific user setup for console access? If your session is not using the CanonicalUser then it will likely have no access.