Amazon S3 bucket policy deny putObject permissions to all but one user
Question
My goal is to allow one user to put objects into an s3 bucket. I thought of applying a bucket policy. I understand that you can't deny PutObjects to all users, and then override that with an allow to the desired user. I had hoped to use the Condition "ArnNotEquals" to exclude a single user from the deny policy statement:
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": "arn:aws:iam::123456789012:user/OneUser"
}
}
}
]
However, this has the result of denying PutObjects to all users. Am I on the right track? Is there a bucket policy I can craft for this? Or do I need to look elsewhere, like an ACL ( Access Control List )?
2 answers
solution1
8 2015-03-17 16:18:59
The way to do this is using the NotPrincipal policy element. It allows you to apply a policy to all principles except a specific list. Your policy would then become:
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::123456789012:user/OneUser"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*"
}
]
solution2
0 2018-03-26 09:05:36
Try like this.. SourceArn → Arn
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"ArnNotEquals": {
"aws:Arn": "arn:aws:iam::123456789012:user/OneUser"
}
}
}
]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.