A similar question on this topic has already been asked here , but none of the solutions on that post worked for me and it is quite old, which led me to believe that maybe something has changed in AWS that warranted asking a new question.
Basically, I am using a CloudFormation template to define an IAM group with an inline policy so that its users can only access a single S3 bucket. Based on the linked question, I arrived at the following template (the original posts used JSON but I'm using YAML):
BucketAccessGroup:
Type: AWS::IAM::Group
Properties:
GroupName: my-bucket-admins
Path: /my-bucket-admins/
Policies:
- PolicyName: MyBucketAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: s3:*
Resource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name/*
-
Effect: Allow
Action: s3:ListAllMyBuckets
Resource: "*"
Unfortunately, an IAM user in this group is allowed not only to list every other bucket (required for Console access), but also to open, modify, and delete them, and their objects! Obviously this is not desired behavior! Has something changed with AWS that makes this policy no longer valid? Does the policy not work the same in a CloudFormation template as it does on its own? Any help would be appreciated!
EDIT:
As stated in @wjordan's answer, it turns out that another policy was already giving the group full S3 permissions. I was adding the AWSLambdaFullAccess managed policy, which unexpectedly had an allow s3:*
line (I left out of the above code b/c I didn't think it was relevant!). Given the need to coexist with that policy, here is my updated CF template which is working as intended, and is also a bit more secure:
BucketAccessGroup:
Type: AWS::IAM::Group
Properties:
GroupName: my-bucket-admins
ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AWSLambdaFullAccess" ]
Policies:
- PolicyName: MyBucketAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- # Prevent changing permissions in any way on the desired bucket
Effect: Deny
Action:
- s3:DeleteBucket
- s3:DeleteBucketPolicy
- s3:PutBucketPolicy
- s3:PutBucketAcl
Resource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name
- # Prevent all S3 actions except listing buckets, on everything except the desired bucket (AWSLambdaFullAccess already allows s3:*)
Effect: Deny
NotAction: s3:ListAllMyBuckets
NotResource:
- arn:aws:s3:::my-bucket-name
- arn:aws:s3:::my-bucket-name
The policy provided looks correct and not out of date to me. Are you sure that the IAM user in question doesn't have any additional groups/policies applied beyond the AWS::IAM::Group
specified that would be granting them the unexpected permissions?
One way to confirm this would be to create a new IAM user from scratch and attempt to reproduce the issue there.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.