Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to write an S3 bucket policy to *only* allow specific IAM role and Cloudfront Origin Access Identity?

My overall objective: I tried several things and read relevant AWS documentation but am unable to figure how to write an S3 bucket policy to allow access only to specific IAM role and Cloudfront Origin Access Identity(OAI), and deny everyone else.

What I've tried so far: 1. I found this blog, which shows how to restrict s3 bucket access to specific IAM roles:https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ 2. Based on the above blog, I wrote the following bucket policy. This policy allows only MY_IAM_ROLE to allow all operations on a bucket called 'myBucket':

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myBucket",
                "arn:aws:s3:::myBucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "MY_IAM_ROLE_USER_ID:*"
                    ]
                }
            }
        }
    ]
}
  1. I'm not able to find an aws-wide key -- http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html -- for the OAI, which I could plug into the "aws:userId" array along with MY_IAM_ROLE_USER_ID. I tried plugging in the OAI's CanonicalUserId but it didn't work.

My question: How can I combine (1) aws:userid of IAM roles/users and (2) OAI IDs in a single policy statement?

like image 364
ktrace Avatar asked Sep 10 '17 14:09

ktrace


People also ask

How to assign an IAM policy to S3 bucket?

Lets go ahead and assign the IAM policy which we have created , So that the IAM user can get the access to manage the Objects of the Specific S3 bucket as per the policy. Provide a name for the IAM user. Then we are going to choose the access type the user can use to access AWS resources.

Can I use CloudFront Origin Access identity (OAI) with Amazon S3?

The following example bucket policy grants a CloudFront origin access identity (OAI) permission to get (read) all objects in your Amazon S3 bucket. You can use a CloudFront OAI to allow users to access objects in your bucket through CloudFront but not directly through Amazon S3.

What is the S3 bucket policy?

The S3 bucket policy restricts access to only the role. Both the IAM user and the role can access buckets in the account. The role is able to access both buckets, but the user can access only the bucket without the bucket policy attached to it.

Which Amazon S3 bucket policies grant access to a CloudFront OAI?

For example, the s3:GetObject permission allows the OAI to read objects in the bucket. For more information, see the examples in the following section, or see Specifying Permissions in a Policy in the Amazon Simple Storage Service User Guide . The following examples show Amazon S3 bucket policies that grant access to a CloudFront OAI.


Video Answer


1 Answers

My older answer would support some people but may not yours precisely. So, I am posting another answer which will address your need more precisely. The following role policy will allow access to IAM role and OAI and will deny every one else:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "2",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXX",
                    "arn:aws:iam::AWS-account-ID:role/role-name"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}
like image 73
Nah Avatar answered Sep 17 '22 22:09

Nah