How do I do an OR condition in an S3 bucket policy?

Question

I'm working on an S3 bucket policy. The idea is to explicitly deny access to all IAM users within the account, except for those explicitly granted.

I found a blog post that explains how to restrict access to a specific user. It works well. However, I want to extend the syntax to include a second IAM user that will be allowed access. This is, in effect, an OR condition.

But, I've very new to JSON, and I'm not sure how to go about that.

Here is the policy that works for restricting access to a single user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDA<obfuscated id>:*",
                        "AIDA<obfuscated id>",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}

Can anyone help me edit the above JSON to allow for an OR condition where I could specify an additional userid that would be allowed access?

AdvThanksance!

Answer 1

You don't need to create this deny rule since all requests are denied by default unless there is an explicit allow rule.

To authorize multiple IAM users, you can list them as array elements. So, you could write your bucket policy as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllS3ActionsForSpecificIAMUsers",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account-number-without-hyphens>:user/<username1>",
          "arn:aws:iam::<account-number-without-hyphens>:user/<username2>"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket", 
        "arn:aws:s3:::my-bucket/*"
      ]
    } 
  ]
}

You can find out more about the Principal element here .

Answer 2

Ok, I figured this out.

First, I tried adding a second StringgNotLike clause to the Condition , but that didn't work.

After doing as bit more reading, I realized the Condition clause accepts multiple key/value pairs. In fact, the original policy I showed in my question already did that. I just needed to add more values to the array that was already there.

The policy that works, looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-private-bucket",
                "arn:aws:s3:::my-private-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDA<obfuscated-id-1>:*",
                        "AIDA<obfuscated-id-1>",
                        "AIDA<obfuscated-id-2>:*",
                        "AIDA<obfuscated-id-2>",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}

When I realized that the key had already specified an array of values, I just added the second user id to the array, and it worked great.