Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

S3 bucket policy: In a Public Bucket, make a sub-folder private

I have a bucket filled with contents that need to be mostly public. However, there is one folder (aka "prefix") that should only be accessible by an authenticated IAM user.

{
  "Statement": [
    {
      "Sid": "AllowIAMUser",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/prefix1/prefix2/private/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/bobbydroptables"
        ]
      }
    },
    {
      "Sid": "AllowAccessToAllExceptPrivate",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/*",
      "Condition": {
        "StringNotLike": {
          "s3:prefix": "prefix1/prefix2/private/"
        }
      },
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

When I try to save this policy I get the following error messages from AWS:

Conditions do not apply to combination of actions and resources in statement -
  Condition "s3:prefix"
  and action "s3:GetObject"
  in statement "AllowAccessToAllExceptPrivate"

Obviously this error applies specifically to the second statement. Is it not possible to use the "s3:prefix" condition with the "s3:GetObject" action?

Is it possible to take one portion of a public bucket and make it accessible only to authenticated users?

In case it matters, this bucket will only be accessed read-only via api.

This question is similar to Amazon S3 bucket policy for public restrictions only, except I am trying to solve the problem by taking a different approach.

like image 431
SunSparc Avatar asked Dec 06 '13 20:12

SunSparc


People also ask

How do you make a public S3 bucket private?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Bucket name list, choose the name of the bucket that you want. Choose Permissions. Choose Edit to change the public access settings for the bucket.

Is it better to have multiple S3 buckets or one bucket with sub folders?

there's a performance difference depending on how your spread your keys in S3. Said performance difference applies the same to buckets as it does to keys. In the context of this question, there is no difference.

Does bucket policy override IAM policy?

Simple rule: If anything amongst IAM & Bucket Policy denies, then it is denied. Otherwise, if any of them allows, then it is allowed.


1 Answers

After much digging through AWS documentation, as well as many trial and error permutations in the policy editor, I think I have found an adequate solution.

Apparently, AWS provides an option called NotResource (not found in the Policy Generator currently).

The NotResource element lets you grant or deny access to all but a few
of your resources, by allowing you to specify only those resources to
which your policy should not be applied.

With this, I do not even need to play around with conditions. This means that the following statement will work in a bucket policy:

{
  "Sid": "AllowAccessToAllExceptPrivate",
  "Action": [
    "s3:GetObject",
    "s3:GetObjectVersion"
  ],
  "Effect": "Allow",
  "NotResource": [
    "arn:aws:s3:::bucket/prefix1/prefix2/private/*",
    "arn:aws:s3:::bucket/prefix1/prefix2/private"
  ],
  "Principal": {
    "AWS": [
      "*"
    ]
  }
}
like image 154
SunSparc Avatar answered Sep 30 '22 17:09

SunSparc