AWS Bucket Policy - limit access to a bucket with bucket policy-CodePudding

Be default our users have full S3 access via IAM, I have one bucket however that I need to limit access to one specific user, and block all other users.

I followed this guide here https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/

and made this bucket policy -

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
            ]
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::NAMEOFBUCKET/*"
    },
    {
        "Sid": "",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::NAMEOFBUCKET/*",
        "Condition": {
            "StringNotLike": {
                "aws:userid": "USERWHONEEDSACCESS:*"
            }
        }
    }
]
}

However it no worky. Any suggestions?

CodePudding user response：

You can try the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::nameofbucket/*",
                "arn:aws:s3:::nameofbucket"
            ],
            "Effect": "Allow"
        },
        {
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::nameofbucket/*",
                "arn:aws:s3:::nameofbucket"
            ],
            "Effect": "Deny"
        }
    ]
}

In the How to Restrict Amazon S3 Bucket Access to a Specific IAM Role blog post you can read more about using NotPrincipal and restricting access to a single IAM User, specifically:

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

To generate this policy code snippet, I used this: https://asecure.cloud/a/s3_restrict_iam_user/ and I pre-filled the iamPrincipal and bucketName parameters with your example values.

CodePudding user response：

Make sure that you are using an IAM unique identifier in your condition (it should start with the letters AIDA for IAM users).

"StringNotLike": {
      "aws:userid": "AIDAXXXXXXXXXXXXX:*"
 }

I suspect that you have written the username in your condition because you use the same placeholder as in the Principal. The IAM User Id is distinct from the username and the arn and cannot be found through the Console, but you can for example retrieve it with the aws cli get-user command.

CodePudding user response：

While @Rigerta 's answer will work, I think it's worthy to explain why and how you can make your policy work

If you notice, in your policy you're specifying that only that user will be able to access all objects in your bucket

"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"

However, the way IAM permissions work for S3 buckets is a bit tricky. Yes, that user has access to all objects and if he/she tries to push/pull an object via cli the operation will probably succeed, although via AWS console the bucket is unreachable. It's because the user has only access to the objects in the bucket, not the bucket itself

Therefore, you need to add the bucket to your resources. Changing

"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"

"Resource": ["arn:aws:s3:::NAMEOFBUCKET/*", "arn:aws:s3:::NAMEOFBUCKET"]

should make it work.

You can check this blogpost for an example of an IAM policy for accessing a bucket. Notice how different actions are granted to different resources