Amazon S3 bucket policy, what am I doing wrong?
Question
I used the Policy Generator to create a simple rule for my bucket; the rules should allow the following intended effect:
- root access
- limit access to given IAM user
- allow read-only access to everyone
To this purpose I wrote the following rule, but somethng didnt work as expected, and in particular, I have totally lost access to the bucket elements, was getting "Access Denied" in all cases, root included:
edit : with @jarmod answer I was able to set the intended functionality, however it trigger a warning, about the bucket being public, I do not see the difference respect having no policy, the bucket is still publicly accessible for read-only. What is the difference?
1 answers
solution1
1 ACCPTED 2018-04-20 00:13:19
Perhaps you could do this as follows:
- for all users, allow action s3:GetObject
- for all users except root and your specific IAM user, deny all actions except s3:GetObject
You could do this with a policy something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"NotAction": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"iam-userid-here",
"root-userid-here"
]
}
}
}
]
}
To get iam-userid-here , run aws iam list-users and retrieve the UserId for the IAM user.
Similarly, to get root-userid-here , simply retrieve the account number from the Arn of the previous aws iam list-users output. The root account userId is the AWS account number.
The IAM user indicated by iam-userid-here could then have an IAM policy allowing S3 access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.