stackoom
  简体   繁体   中英

AWS S3 Bucket Policy with NotPrincipal denying access

 原文  2016-07-26 12:50:41       amazon-web-services/ amazon-s3

Question

I have configured my S3 bucket with Bucket Policy that looks like this

{
    "Version": "2012-10-17",
    "Id": "Policy100000000000",
    "Statement": [
        {
            "Sid": "Stmt1463490591045",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "Stmt1463490591012",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucketname"
        },
        {
            "Sid": "Stmt1463490660089",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }
    ]
}

The goal is to allow access to xml files in the bucket root to the selected users only. The rule doesn't seem to be working, since I get access denied

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DE3DB1FF18B53997</RequestId><HostId>Iy+RnfkFKygJWkSTI0dXjssFsGFP2MydZZi/R5KBw5M8mZnfClt6HMOKJvAwy7sJgSx9BJQ3DbN=</HostId></Error>

I've tried fetching the xml files with AWS Node.js and Python SDKs and with aws-cli. I keep getting the same access denied message.

The AWS documentation regarding Bucket Policies is quite scattered around and has not provided me with a solution to the problem. There's very little documentation at all about using notPrincipal in the policy.

The ListBucket permission works all right, which means that the problem is specific to the rule, not the aim users.

2 answers

solution1
 1  2022-02-27 12:26:24

The goal is to allow access to xml files in the bucket root to the selected users only

As per current documentation, s3 do not support file listing resource per postfix/filetype. It only support with prefix, so you would need to put a star without .xml at the end (which allow to access all objects at the folder layer), then you could implement logic to your app if you would allow to access the file or not.

For the bucket policy, by default, s3 policy would give access to user from the account (where the bucket created), as long as the IAM policy have the permission to do so. This is defined from ACL (Access Control List), go to S3 > Permission > Access Control List to check it out.[AWS S3 ACL docs ]. So the first 2 statement might not be necessary in the statements. For the last statement, this might work but need an additional assumed-role ARN which will vary depending on what is defined for the role session name.

It is recommended to not use the NotPrincipal , and instead use the Condition key at the statement. Put the roleId as the userId at the StringNotLike statement to ignore the deny statement for the particular roleId . Also include the account number at the userId . Example as follows.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "ROLE_ID_HERE:*",
            "ACCOUNT_NUMBER_HERE"
          ]
        }
      }
    }
  ]
}

Check out on this AWS blog for more info: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

solution2
 0  2017-03-16 00:59:06

Your last deny policy simply doesn't talk about what should happen (allow or deny) to the requests with principal user1 or user2. When you send an s3 request as user1 or user2, the bucket policy won't have any effect (since it doesn't have any rule matching the principal user1 or user2 wrt the given action and the given resource). 

The goal is to allow access to xml files in the bucket root to the selected users only

In this situation, you can mention a rule for explicitly allowing those users the access to your xml files. 

{
            "Sid": "Stmt1463490660089",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why is my S3 bucket policy denying cross account access? AWS S3 Bucket policy Access Denyed AWS S3 bucket organization access policy Policy Denying Access On Amazon S3 Access denied on AWS s3 bucket even with bucket and/or user policy aws s3 bucket policy AWS S3 bucket policy Denying direct access to AWS S3 Object Cognito Role and AWS S3 Bucket policy for mobile and web access AWS S3 Bucket policy editor access denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM