Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IAM AWS S3 to restrict to a specific sub-folder

Tags:

amazon-web-services

amazon-s3

I'm using AWS S3 component to store files.

I have a bucket called "mybucket" and with the following folders :

+---Mybucket
\---toto1
\---toto2
+---toto3
|   \--- subfolder
|       \---subsubfolder
\---toto4

I have AWS console users that need only need to access "toto3" folder.

I tried to restrict the access to this folder, but the user must have the right to list the root of bucket. If I put additional rights to acces the root folder, users can browser "toto1" and "toto2" folders and I don't want.

I want to configure something like that:

  • Authorize to list all buckets of my S3 account (listAllBuckets policy)
  • Autorize to list the root of the bucket (it's OK for me if the user see the directories names)
  • Deny access for all prefix bucket different from "toto3"
  • Autorize every actions for the user in toto3 folder
  • I don't want to write an inclusive rules

I tried this IAM policy without any success :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": ["arn:aws:s3:::mybucket/toto3/*"]
        },
        {
            "Sid": "Stmt1457617383000",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": ["arn:aws:s3:::mybucket"]
        },
        {
            "Sid": "Stmt1457617230000",
            "Effect": "Deny",
            "Action": ["s3:*"],
            "Condition": {
                "StringNotLike": {
                    "s3:prefix": "toto3*"
                }
            },
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
like image 606
romain-nio Avatar asked Mar 11 '16 15:03

romain-nio

People also ask

How do I give access to a specific directory in S3 bucket?

If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy.

How do I restrict Amazon S3 bucket access to a specific IAM user?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

1 Answers

Here's a policy that will work for you:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/toto3/*"
            ]
        },
        {
            "Sid": "Stmt1457617230000",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "toto3/"
                    ]
                }
            },
            "Resource": [
                "arn:aws:s3:::mybucket*"
            ]
        }
    ]
}

Details:

  • ListAllMyBuckets is required by the Console. It shows a list of all buckets.
  • Any action permitted within the toto3/ path.
  • ListBucket (retrieve objects list) permitted in the root of the bucket and in the toto3/ path.

I successfully tested this solution.

AWS Documentation Reference: Allow Users to Access a Personal "Home Directory" in Amazon S3

like image 139
John Rotenstein Avatar answered Nov 20 '22 01:11

John Rotenstein
Sign in to Comment

Related questions

S3 Access column shows "Error" for all buckets
How to POST request to postman using AWS Lambda
The provided token is malformed or otherwise invalid
How can I increase my AWS s3 upload speed when using boto3?
How to do RDS IAM Authentication with Django?
How to throw HTTP error code with AWS Lambda using Lambda Proxy?
Template format error: Every Mappings attribute must be a String or a List
MalformedPolicyDocument when calling the CreatePolicy operation - AWS
What's the use case for RoleSessionName when assuming a role in AWS and how it affects the performance
AWS API Gateway {"message":"Missing Authentication Token"}
'Credential is missing' Error On Instantiating S3 Class Using AWS-SDK JS V3
security settings between Amazon EC2 instance and heroku
delete S3 object
Why might the CIDR/IP in DB security group be different from instance elastic IP?
Using AWS S3 for photo storage
Amazon S3 Write Only access
Error trying to install libjpeg-devel with elastic beanstalk
How to set S3 bucket policy to (mostly) private when object acl is public?
Python cassandra driver: Invalid or unsupported protocol version: 4
Amazon SES display sender name using PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!