One question in the Quiz for Infrastucture Security asks for best way to block any request to access publicly available files in your S3 bucket which comes from the following IP address range: 86.130.105.0/24. The correct answer given is to use AWS WAF Web ACL, but it’s also possible to do this using a bucket policy, see https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3. Thus two answers are correct here, is there an error, or is there a reason why using WAF is the only correct option?
5 Answers
Thanks yes I think you’re right, I’m going to update that question
I think the answer’s actually wrong as it doesn’t mention using Cloudfront over S3 and you cannot use AWS WAF to protect an S3 bucket directly. The only correct answer is with a bucket policy.
I concur with Howard Watts as https://aws.amazon.com/waf/
"You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs" there is no mention of S3. Also bucket policies have the option to set ip based restrictions : https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3
That’s correct Howard
Faye, What is the correct answer , or the correct question? Please let us know when you make updates
Question still says choose two even through three answers are valid and expected.
Please also take note of the following article when updating the questions:
https://aws.amazon.com/de/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
"Note: It’s a best practice not to use the aws:SourceIp condition key."
"You can use the aws:SourceIp global condition key in the condition element of an IAM policy to restrict API calls from specific IP addresses, but this denies access to AWS services such as AWS CloudFormation that make calls on your behalf."
Maybe a use case that specifies which is the ‘best’ option?