Menu
I'm working on an S3 bucket policy. The idea is to explicitly deny access to all IAM users within the account, except for those explicitly granted.
I found a blog post that explains how to restrict access to a specific user. It works well. However, I want to extend the syntax to include a second IAM user that will be allowed access. This is, in effect, an OR condition.
But, I've very new to JSON, and I'm not sure how to go about that.
Here is the policy that works for restricting access to a single user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated id>:*",
"AIDA<obfuscated id>",
"111111111111"
]
}
}
}
]
}
Can anyone help me edit the above JSON to allow for an OR condition where I could specify an additional userid that would be allowed access?
AdvThanksance!
439
To create or edit a bucket policyIn the left navigation pane, choose Outposts buckets. Choose the Outposts bucket whose bucket policy you want to edit. Choose the Permissions tab. In the Outposts bucket policy section, to create or edit new policy, choose Edit.
Open the Amazon S3 console at https://console.aws.amazon.com/s3/ . Select the bucket that you want AWS Config to use to deliver configuration items, and then choose Properties. Choose Permissions. Choose Edit Bucket Policy.
The biggest advantage of using ACL is that you can control the access level of not only buckets but also of an object using it. Whereas IAM or Bucket Policies can only be attached to buckets but not to objects in the bucket, Bucket ACLs can be assigned to buckets as well as objects in it.
Ok, I figured this out.
First, I tried adding a second StringgNotLike clause to the Condition, but that didn't work.
After doing as bit more reading, I realized the Condition clause accepts multiple key/value pairs. In fact, the original policy I showed in my question already did that. I just needed to add more values to the array that was already there.
The policy that works, looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-private-bucket",
"arn:aws:s3:::my-private-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated-id-1>:*",
"AIDA<obfuscated-id-1>",
"AIDA<obfuscated-id-2>:*",
"AIDA<obfuscated-id-2>",
"111111111111"
]
}
}
}
]
}
When I realized that the key had already specified an array of values, I just added the second user id to the array, and it worked great.
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With