AWS IAM group policy on S3 resource affecting other groups?
Question
This is a follow-up but independant question from AWS s3 bucket policy invalid group principal
I have 2 groups: Developers and Collaborators. Devlopers have the preconfigured "PowerUser" group policy. Collaborators have the following group policy
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucket/*.txt"
}
]
}
The bucket has the following policy to deny upload of unencrypted .txt files:
{
"Version": "2008-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*.txt",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
The behavior i expect: "Developer" group can put any type of file, ".txt" files must be encrypted, including making directories. "Collaborator" group can put, get and delete ".txt" files only, they cannot make directories.
The behavior i get is as expected for "Developer". The behavior of "Collaborators" is identical to developers, they can put any file when they should only be able to put ".txt" files.
What am I doing wrong?
2 answers
solution1
0 2013-06-12 19:57:11
If you are sure this policy is only attached to the Collaborators groups than the Developers should not be effected.
From your related question, it seems you originally tried a bucket policy. Do you still have a bucket policy applied that restricts the whole bucket to *.txt files? Try removing any existing bucket policy.
solution2
0 ACCPTED 2013-06-13 16:07:45
After a lot of trial and error I attempted to do most of the permissions at the bucket level, got some unexpected behavior and had to split it over both group and bucket policy. Here is my group policy for "Collaborators":
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":"arn:aws:s3:::bucket/*"
}
]
}
Here is the bucket policy that only allows upload and delete of ".txt" files by the four users in the "Collaborator" group:
{
"Version": "2008-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*.txt",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "CelOnly",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/collaborator1",
"arn:aws:iam::111122223333:user/collaborator2",
"arn:aws:iam::111122223333:user/collaborator3",
"arn:aws:iam::111122223333:user/collaborator4"
]
},
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"NotResource": "arn:aws:s3:::bucket/*.txt"
}
]
}
Including s3:GetObject in the bucket policy did not allow downloads of ".txt" files that why i had to move it to group policy. I'm still unsure why it took so much trial and error and some of my other solutions such as that in the original question did not work. but at least this is the answer to my problem.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.