Menu
I've got a bucket where i've accidently uploaded thousands of files with ACL to :public_read I would like all files to be unavailable except with a generated access URL.
I tried to create a bucket policy with deny all to everyone, and allow all to me.
It doesnt work and all files are forbidden even with a generated access URL :
http://s3.amazonaws.com/myBucket/myFile.pdf?AWSAccessKeyId=AKIAIZB2XTOJ6KYB5SCA&Expires=1331137308&Signature=zRfPOj4XFBrXhyqDZ5DpwJqsWs0%3D
{
"Version": "2008-10-17",
"Id": "Policy1331136935471",
"Statement": [
{
"Sid": "Stmt1331136294179",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myBucket/*"
},
{
"Sid": "Stmt1331136364169",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6527...3775:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*"
}
]
}
UPDATE :
i found reference to the default deny in the doc but the AWS Policy Generator has only 2 values "Allow" and "Deny" does anyone has the syntax for default deny ?
Thanks for your help
930
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to set permissions for. Choose Permissions. Under Access control list, choose Edit.
It's easier now.
Just set Remove public access granted through public ACLs to True
121
The policy you were using does not work because the deny takes precedence over the allow, so all users are denied access. The correct way to do this is using the NotPrincipal policy element. It allows you to apply a policy to all principles except a specific list. Your policy should then be:
{
"Version": "2008-10-17",
"Id": "Policy1331136935471",
"Statement": [
{
"Sid": "Stmt1331136294179",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::6527...3775:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myBucket/*"
},
{
"Sid": "Stmt1331136364169",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6527...3775:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*"
}
]
}
Note that I don't think the allow is actually necessary because your account should have access to the files because it is the bucket/object owner who is granted access by default. Though that depends on the ACLs of your objects.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
