Menu
I'm trying to grant a group of users access to all s3-buckets with a certain tag, but no access to all others. The policy I've cobbled together looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAll",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowAllIfGroup",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Condition: : {
"StringEquals" : {
"s3.ResourceTag/allow-group": "s3-access-group"
}
},
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}
and I can't get it to work I have tried simulating the policy for ListBucket and ListAllMyBuckets against the arn of a tagged Bucket, ListAllMyBuckets works, ListBucket fails.
If I adapt this policy to ec2 (as in 'grant start/stop/terminate to instances if tag matches') it works like a charm.
Is this possible at all or does S3 not allow for matching buckets this way?
(further clarification: my bucket has tags "allow-group" and "AllowGroup" set, I was not sure if the dash may be a problem)
751
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
Grant public read access in one of these ways: Update the object's access control list (ACL) using the Amazon S3 console. Update the object's ACL using the AWS Command Line Interface (AWS CLI) Use a bucket policy that grants public read access to a specific object tag.
S3 does not support condition keys based on bucket tags (ResourceTag), but only on object tags.
See the full list of supported conditions keys here (Scroll down to "Condition Keys for Amazon S3"): https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-policy-keys
That's why it does not work.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
