Menu
I searched through existing questions and couldnt find an answer. Hence posting here.
I want to restrict access to a S3 bucket to all users except select few users using S3 Bucket policy. I understand IAM policy is easy to manage and administer, i dont like to create roles and groups for this specific case and want S3 bucket policy created.
Here is what i have tried so far and it is not restricting access to users as expected.
{
"Version": "2012-10-17",
"Id": "bucketPolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234567890:user/allowedusername"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"]
},
{
"Effect": "Deny",
"Principal": {
"AWS": ["arn:aws:iam::1234567890:user/denieduser"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"]
}
]
}
I tried to deny all like below but that explicit deny took precedence over allow and i myself am not able to access the bucket now ;-( Thats another issue i have
{
"Effect": "Deny",
"Principal": {
"AWS": ["*"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"]
}
680
Which of the following can limit Amazon Simple Storage Service (Amazon S3) bucket access to specific users? To allow users to perform S3 actions on the bucket from the VPC endpoints or IP addresses, you must explicitly grant those user-level permissions.
Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.
To achieve what you want, use an explicit deny with a NotPrincipal policy element. The policy below will ensure no other user can access the buckets other than the users listed in the NotPrincipal element:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/alloweduser"
]
},
"Resource": [
"arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"
]
}
],
"Version": "2012-10-17"
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
