restrict access to AWS buckets in account while still allowing access to public buckets in other accounts
Question
For a given IAM user, I want to only allow that user access to one specific bucket in our account (call it foo-bucket ).
However, this seems to have the effect of disabling access to any public bucket outside our account, which is not what I want. I'd like the user to still have access to any public bucket in another account, for example broad-references . I could of course explicitly grant access to a specific public bucket, but there are countless public buckets in the world and I don't want to restrict access to any of them.
Here is the existing policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "economycloud",
"Action": [
"s3:List*",
"s3:Get*",
"s3:DeleteObject*",
"s3:Abort*",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:RestoreObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::foo-bucket/*",
"arn:aws:s3:::foo-bucket"
]
},
{
"Sid": "AllowListing",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Can someone suggest an IAM policy that would do the following:
- Restrict access so that the user can only access this specific bucket in the account, as in the policy above, but
- Can access any public bucket in any other account.
1 answers
solution1
0 2019-10-15 18:11:15
Dan,
This is how you'll be able to achieve this:
- Explicitly Deny user's access to all the buckets in the specific account except that specific bucket (foo-bucket).
- Explicitly Allow user's access to that specific bucket (foo-bucket).
- Explicit allow to the buckets from all accounts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.