My goal is to create exclusive access to a bucket for one IAM user, and to maintain that exclusivity easily as new iam users and groups are added. The user is outside of my control and has a managed policy attached to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullTestBucketS3Access",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
]
}
]
}
I have applied a bucket policy to the bucket that needs to exclude all users except one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::111111111111:user/myuser"
]
},
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
]
}
]
}
I am finding that the mask provided by the NotPrincipal part of the deny statement is not working. All users are denied the ability to take the action specified in the deny policy. What should I be looking at to work this out?
Related
As a plan to deprecate s3 objects, I am revoking all access apart from mine. I tried 2 ways but I see I am not able to see the bucket policy.
Error message from console:
You don’t have permission to get bucket policy
You or your AWS administrator must update your IAM permissions to allow s3:GetBucketPolicy. After you obtain the necessary permission, refresh the page. Learn more about Identity and access management in Amazon S3
First:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ck",
"arn:aws:s3:::k/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA"
]
}
}
}
]
}
Second:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::0220:user/an"
]
},
"Resource": [
"arn:aws:s3:::tes",
"arn:aws:s3:::tes/*"
]
}
],
"Version": "2012-10-17"
}
I want to share my bucket (sourcebucket) with an IAM User (testuser) for a limited time window. Does AWS provide any bucket policy so that I can share my bucket objects with the IAM User for a limited time frame?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::sourcebucket"
]
}
]
}
Does AWS provide any bucket policy so that I can share my bucket objects with the IAM User for a limited time frame?
Yes.
Check the DateGreaterThan and DateLessThan conditions and the aws:CurrentTime condition key. Here's an example, using the policy in your question as a base:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::sourcebucket"
],
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
}
}
]
}
Here are some useful links:
AWS Global Condition Context Keys: aws:CurrentTime
AWS: Allows Access Within Specific Dates
I have an S3 Bucket that i want to restrict its access to only some specific users. I created a test account IAM : "test.access" and i put this policy on my bucket :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeOnlySpecifiedUsers",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxx:user/test.access"
]
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
}
]
}
Now the problem is that the bucket is not accessible to anyone even the user test.access
What's going on with the policy ?
Thank you.
This policy should work (I haven't been able to test it yet). A couple things to note
Make sure to include yourself in the Deny NotPrincipal Policy
If you don't want your users having full access to the bucket list the actions they need int eh Allow part. Additional actions for yourself and other admins will be granted in the IAM User/Role polices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeOnlySpecifiedUsers",
"Effect": "Deny",
"Action": [
"s3:*"
],
"NotPrincipal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxx:user/test.access",
"arn:aws:iam::xxxxxxxxxx:user/yourself"
]
},
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
},
{
"Sid": "Allow",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
}
]
}
I need to give external users access to a single Amazon S3 bucket folder. I have their ARN information but I am having an issue granting access.
{
"Version": "2012-10-17",
"Id": "S3AccessPolicy",
"Statement": [
{
"Sid": "TestAccess",
"Effect": "Allow",
"Principal": {
"AWS": "<external ARN>"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::rootlevelbucket",
"arn:aws:s3:::rootlevelbucket/specificfolder/*"
]
}
]
}
There is 2 sides to cross account access. You have the first part with the bucket policy, but the admin for the external account needs to grant the user access to the S3 with a IAM policy like below. You can use the s3:* on the IAM policy because you bucket policy will restrict to just the commands you list.
AWS Documentation
IAM Policy for external user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RootlevelbucketAccess",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::rootlevelbucket",
"arn:aws:s3:::rootlevelbucket/specificfolder/*"
]
}
]
}
Struggling to create a bucket policy to white list certain file types. Specifically, I want to allow only image types to be accessible.
I was able to create a blacklist policy like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.exe"
],
"Principal": {
"AWS": "*"
}
}
]
}
WHITELIST ATTEMPT #1:
Problem: this allows all types, not just those listed
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.jpg",
"arn:aws:s3:::[my_bucket]/*.png",
"arn:aws:s3:::[my_bucket]/*.gif",
],
"Principal": {
"AWS": "*"
}
}
]
}
WHITELIST ATTEMPT #2:
Problem: this ends up denying all files
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::[my_bucket]/*"
],
"Principal": {
"AWS": "*"
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.jpg",
"arn:aws:s3:::[my_bucket]/*.png",
"arn:aws:s3:::[my_bucket]/*.gif",
],
"Principal": {
"AWS": "*"
}
}
]
}
Your whitelist bucket policy #1 is correct. The reason it is allowing all file types could be your IAM policy allows all file types for the user. Make sure the IAM policy attached to the user does not have S3FullAccess
In accordance with the principle of least-privilege, decisions default
to DENY and an explicit DENY always trumps an ALLOW. For example, if
an IAM policy grants access to an object, the S3 bucket policies
denies access to that object, and there is no S3 ACL, then access will
be denied. Similarly, if no method specifies an ALLOW, then the
request will be denied by default. Only if no method specifies a DENY
and one or more methods specify an ALLOW will the request will be
allowed.