Our service attempts to discover and access Amazon S3 buckets in the customer account using the IAM role that is created during the onboarding process.
However, if the S3 bucket policy restricts access in a way that prevents this role from performing S3 operations, the bucket will not be discoverable or accessible by the service.
Example
If the customer’s S3 bucket policy contains a condition that denies access unless requests originate from a specific VPC endpoint (or any other restrictive condition), Druva’s IAM role will not be able to discover or access the bucket.
The following bucket policy denies all access requests that do not come from the specified VPC endpoint:
json
{
"Version": "2012-10-17",
"Id": "PolicyRestrictToVPC",
"Statement": [
{
"Sid": "AllowAccessFromSpecificVPCOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket-name",
"arn:aws:s3:::my-bucket-name/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-0123456789abcdef0"
}
}
}
]
}
In this case, since Druva’s access to S3 is not routed through the specified VPC endpoint (vpce-0123456789abcdef0), the request will be explicitly denied by S3.
As a result, we will not be able to list or discover this bucket.
Common policy conditions that can cause discovery failure
Some examples of restrictive policy conditions that can block discovery include:
aws:SourceVpce- limits access to a specific VPC endpointaws:SourceIp- limits access to specific IP rangesaws:PrincipalArn- allows only specific IAM roles or usersStringEquals/StringNotEqualsconditions withaws:PrincipalAccount, aws:SourceArn, etc.
Resolution
To enable successful discovery and access of the S3 bucket, the bucket policy must explicitly include the designated IAM role in its permissions. This must be included within the same policy statement that enforces the restrictive clause on the bucket. For detailed steps on how to update the bucket policy, see the Procedure section below.
For example,
json
{
"Version": "2012-10-17",
"Id": "PolicyRestrictToVPC",
"Statement": [
{
"Sid": "AllowAccessFromSpecificVPCOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket-name",
"arn:aws:s3:::my-bucket-name/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-0123456789abcdef0"
},
"ArnNotEqualsIfExists": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/MyTrustedRole"
}
}
}
]
}
where:
arn:aws:iam::123456789012:role/MyTrustedRole is the IAM role that was created by Druva during onboarding.
Procedure
Follow these steps to update the S3 bucket policy and ensure the integration works correctly.
Retrieve the S3 IAM Role for the AWS Workloads (CloudRanger) account.
Go to AWS Account > IAM > Roles.
Search using the CloudRanger Account ID.
Copy the ARN of the S3 Airgap Backup Role.
Open the S3 bucket and go to the Permissions tab.
Edit the bucket policy.
Add the following statement to the bucket policy.
json
{"Version": "2012-10-17","Id": "PolicyRestrictToVPC","Statement": [{"Sid": "AllowAccessFromSpecificVPCOnly","Effect": "Deny","Principal": "*","Action": "s3:*","Resource": ["arn:aws:s3:::my-bucket-name","arn:aws:s3:::my-bucket-name/*"],"Condition": {"StringNotEquals": {"aws:SourceVpce": "vpce-0123456789abcdef0"},"ArnNotEqualsIfExists": {"aws:PrincipalArn": "arn:aws:iam::123456789012:role/MyTrustedRole"}}}]}Click Save changes.