How to restrict Upload to an S3 bucket for everyone except an IAM Role
Question
I can't figure out how to restrict the s3 upload functionality -- specifically: s3Client.putObject(request); (using Java SDK v1.11.298)
My setup is identical to the How to Restrict Amazon S3 Bucket Access to a Specific IAM Role blog post
bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::MyExampleBucket",
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"111111111111"
]
}
}
}
]
}
My user is in a group that has AdministratorAccess which transitively gives him s3:* permissions.
From what I understand that should be overridden by the bucket's polity that explicitly only allows for users who assume the role to take any action the bucket.
The funny thing is that, read permissions act as expected. If the user doesn't assume the Role associated to AROAEXAMPLEID they are not able to read the files in the bucket, but they are still allowed to upload.
I need to restrict upload and read to only users who can assume the role.
1 answers
solution1
1 ACCPTED 2018-03-23 13:55:16
S3 policies (bucket or IAM) can be difficult because it isn't always clear whether the action expects to be applied to the bucket itself as "Resource": "arn:aws:s3:::MyExampleBucket" or the objects as "Resource": "arn:aws:s3:::MyExampleBucket/*" .
In the case of the s3:PutObject action, it's the path, while the policy shown only impacts the bucket. For the s3:* action, you want both.
"Resource": [
"arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*"
], ...
The Resource key in policies accepts either a string or an array of strings.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.