We Keep Coding

Deny access to all users except one to access private-folder inside S3 bucket

I have a public S3 bucket which has 2 folders inside it, public-folder and private-folder
I want everyone to access the public-folder and I want only user1 to access private-folder programmatically.
Inside the S3 bucket, I have added the following policy:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn-of-user1"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
from the IAM, I have created a policy for user1 to be able to access the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Is there a better way to achieve this goal? Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?

Wouldn't the following be easier and more natural to do if you have public-folder and private-folder. The following is based on the fact that buckets and its objects are private by default.
Bucket policy
It allows public access to public-folder:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/public-folder/*"
}
]
}
User policy
It allows putting, getting and deleting objects in private-folder, as well as listing the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?
Explicit deny overwrites any allow. Thus if you deny access to everyone, you can't use any IAM policy to allow access.

Restrict IAM user for a cross account role to a single bucket

I'll like my Iam policy used for a cross account to access just a single S3 bucket as in the example below but it fails with permission denied. The failure occurs when i switch to a cross account role on the console in AccountA and attempt to access the S3 bucket in accountB. However, I am able to view the S3 bucket in accountB when I change the "Resource" on the Iam policy to allow everything.
xx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
However, I am able to view the S3 bucket in accountB when I change the "Resource" on the Iam policy to allow everything. eg
xxx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
]
}
]
}
but this is not what i want.
other files used include:
xx.tpl
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "${Sid}",
"Effect": "${Effect}",
"Action": "${Action}",
"Resource": "${Resource}"
}
]
}
xx.tf
data "aws_iam_policy_document" "s3_write" {
count = length(var.s3_bucket_names)
statement {
actions = ["s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutObjectAcl", "s3:List*", "s3:Get*", "s3:*"]
resources = ["arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}/*", "arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}"]
principals {
identifiers = var.principals
type = "AWS"
}
}
resource "aws_s3_bucket_policy" "s3_lb" {
count = length(var.s3_bucket_names)
bucket = aws_s3_bucket.mybucket[count.index].id
policy = data.aws_iam_policy_document.s3_write[count.index].json
}
s3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxx:role/test-role1",
"arn:aws:iam::xxxx:role/test-role2",
"arn:aws:iam::xxxx:role/test-role3",
"arn:aws:iam::xxxx-other:role/s3-list-role"
]
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:List*",
"s3:Get*",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}

I changed this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
To this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Giving my IAM user cross account access to both the console and CLI. The first allow statement is required for console cross account access.

If arn:aws:iam::xxxx:role/test-role1 has this policy attached, then a session with that role will get access to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
The S3 bucket policy grants this principal access. The problem is the trailing slash on the bucket ARN (second resource listed in the policy above.

Allow IAM user to access single s3 bucket

I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.

Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html

Restrict user access to Single S3 Bucket using Amazon IAM?

When you work with the team, you might want to restrict an access to a single S3 bucket to specific users. How can I achieve this?
The following code is not working. The user still has full permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Privatebacket",
"arn:aws:s3:::Privatebacket/*"
]
}
]
}

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html

Try the below mentioned link. You can grant user specific folder permissions using IAM policies.
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

You can add an inline policy for that IAM user. You can set a 'deny' policy to that specific s3 bucket.
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1497522841000",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mjzone-private"
]
}
]
}

Sync from S3 bucket to local directory fails

I want to download the whole bucket to a local directory. I tried:
aws s3 sync s3://my-bucket-name . --profile default
I got an authentication error:
download failed: s3://my-bucket-name/thumbnail.jpg to path to
local/thumbnail.jpg A client error (Unknown) occurred when calling the
GetObject operation: Unknown
I believe my IAM is configured correctly as it gives full access to S3 buckets. it works when I try another command, such as:
aws s3 ls
My inline policy for the IAM user is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::*"]
}
]
}
Did I miss something in this setup?

You could use the following policy if you want to access via cli as well as web console and restrict the bucket to the user and some basic actions on it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOURBUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObjects"
],
"Resource": [
"arn:aws:s3:::YOURBUCKET/*"
]
}
]
}

There is issue in the policy. Change the policy to below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}
]
}
If you want user to access just one bucket then use below policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::name-of-bucket/*"
}
]
}