How to restrict access to an AWS S3 bucket only to a specific role?

Question

In my AWS project, I have a lambda function, called by an API in API Gateway, that gets a file in a S3 bucket.

I try to secure my S3 bucket as much as possible, and after reading this and this , here is what I did in my CloudFormation template:

• in the policy of the IAM role of the API:

  - Effect: 'Allow'
    Action:
      - "s3:GetObject"
    Resource: 'arn:aws:s3:::exampleS3Bucket/*'

• and in the policy of my S3 bucket:

  - Effect: "Deny"
    Action:
      - "s3:*"
    Principal: "*"
    Resource:
      - 'arn:aws:s3:::exampleS3Bucket'
      - 'arn:aws:s3:::exampleS3Bucket/*'
    Condition:
      StringNotLike:
        aws:userId:
          - "<API_IAM_ROLE_ID>"

According to the documentation, you can retrieve the API_IAM_ROLE_ID by calling the following AWS CLI command: aws iam get-role --role-name <YOUR_IAM_ROLE> .

But I face two issues:

• it doesn't work, I still have an Access Denied error
• even if it works, it does not look like a clean solution, especially if I want to deal with multiple environments (dev, staging, prod...)

EDIT

I also tried the following S3 bucket policy:

  - Effect: "Deny"
    Action:
      - "s3:*"
    NotPrincipal:
      AWS:
        - "arn:aws:iam::123456789012:root"
        - "arn:aws:iam::123456789012:role/my-api-role"
    Resource:
      - 'arn:aws:s3:::exampleS3Bucket'
      - 'arn:aws:s3:::exampleS3Bucket/*'

But when I call my API, that calls a lambda that calls S3.GetObject(), I still have an "Access Denied" exception.

How can I fix that?

Thanks.

Answer 1

Denying access to a particular bucket can be tricky.

For example, Admins might have the ability to modify Roles and Bucket Policies, so they would be able to regain access to the bucket.

A common practice is to put sensitive information in a bucket in a different AWS Account , then provide access to the bucket only to specific users in the 'main' account. This way, the default is that nobody in the main account has access. It also simplifies the design of permissions, since there is no need to apply Deny policies.

An example would be where sensitive HR information is being stored, where only a small number of users should have access to the data.

Answer 2

this is how i did it recently.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "ACCOUNT NUMBER"
          ]
        }
      }
    }
  ]
}

this is how it works.

• Allow: the user's IAM policy allows access to S3 bucket
• Deny: bucket policy is used to deny access to all the users except the user id of the role.

to get the user id of the role:

aws iam get-role --role-name ROLE-NAME

reference: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/