Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write an S3 bucket policy to *only* allow specific IAM role and Cloudfront Origin Access Identity?

Tags:

amazon-s3

amazon-cloudfront

amazon-iam

My overall objective: I tried several things and read relevant AWS documentation but am unable to figure how to write an S3 bucket policy to allow access only to specific IAM role and Cloudfront Origin Access Identity(OAI), and deny everyone else.

What I've tried so far: 1. I found this blog, which shows how to restrict s3 bucket access to specific IAM roles:https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ 2. Based on the above blog, I wrote the following bucket policy. This policy allows only MY_IAM_ROLE to allow all operations on a bucket called 'myBucket':

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myBucket",
                "arn:aws:s3:::myBucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "MY_IAM_ROLE_USER_ID:*"
                    ]
                }
            }
        }
    ]
}
  1. I'm not able to find an aws-wide key -- http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html -- for the OAI, which I could plug into the "aws:userId" array along with MY_IAM_ROLE_USER_ID. I tried plugging in the OAI's CanonicalUserId but it didn't work.

My question: How can I combine (1) aws:userid of IAM roles/users and (2) OAI IDs in a single policy statement?

like image 364
ktrace Avatar asked Sep 10 '17 14:09

ktrace

People also ask

How to assign an IAM policy to S3 bucket?

Lets go ahead and assign the IAM policy which we have created , So that the IAM user can get the access to manage the Objects of the Specific S3 bucket as per the policy. Provide a name for the IAM user. Then we are going to choose the access type the user can use to access AWS resources.

Can I use CloudFront Origin Access identity (OAI) with Amazon S3?

The following example bucket policy grants a CloudFront origin access identity (OAI) permission to get (read) all objects in your Amazon S3 bucket. You can use a CloudFront OAI to allow users to access objects in your bucket through CloudFront but not directly through Amazon S3.

What is the S3 bucket policy?

The S3 bucket policy restricts access to only the role. Both the IAM user and the role can access buckets in the account. The role is able to access both buckets, but the user can access only the bucket without the bucket policy attached to it.

Which Amazon S3 bucket policies grant access to a CloudFront OAI?

For example, the s3:GetObject permission allows the OAI to read objects in the bucket. For more information, see the examples in the following section, or see Specifying Permissions in a Policy in the Amazon Simple Storage Service User Guide . The following examples show Amazon S3 bucket policies that grant access to a CloudFront OAI.

Video Answer

1 Answers

My older answer would support some people but may not yours precisely. So, I am posting another answer which will address your need more precisely. The following role policy will allow access to IAM role and OAI and will deny every one else:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "2",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXX",
                    "arn:aws:iam::AWS-account-ID:role/role-name"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}
like image 73
Nah Avatar answered Sep 17 '22 22:09

Nah
Sign in to Comment

Related questions

Does SQS really send multiple S3 PUT object records per message?
Cost of renaming a folder in AWS S3 bucket
AWS Lambda triggered by PUT to s3 bucket in separate account
Redirect output of console to a file on AWS S3
AWS S3 max file and upload sizes
AWS CloudFront with Signed URL: 403 Access Denied
How do I set the Content-Type of an existing S3 key with boto3?
Laravel and AWS Cloudfront
Listing S3 bucket objects with specific storage class
Reading multiple files from S3 in parallel (Spark, Java)
Is it possible to access a private s3 bucket objects without using a pre-signed URL? (boto3, python)
AWS Athena create table and partition
Testing Carrierwave file uploads to s3 with Capybara and Rspec
Error retrieving credentials from the instance profile metadata server. Laravel S3
AWS Athena MSCK REPAIR TABLE takes too long for a small dataset
Wrong Image orientation when uploading - Amazon S3
AWS CloudFront Leverage browser caching
Issues Uploading JSON to s3 using node.js
How to trigger my Lambda Function once the file is uploaded to s3 bucket
CodeDeploy to S3

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!