stackoom
  简体   繁体   中英

Can S3 bucket-policy override IAM policy?

 原文  2020-08-09 08:40:19       amazon-web-services/ amazon-s3

Question

  1. I have created an S3 bucket and an EC2 instance.
  2. I have attached a role to the EC2 instance that contains AmazonS3ReadOnlyAccess policy.
  3. Used AWS CLI from EC2 instance to list all the content of my S3 bucket
  4. I created a bucket policy that prevents any operation from any principal on that bucket:
"Action": "s3:*",
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::ananda-demo-bucket-1/",
      "Principal": "*"

However, from my EC2 instance I can still list the content of my bucket. Does this mean that I can not override AWS IAM policy with custom bucket policy or the bucket policy which I have created is wrong?

2 answers

solution1
 1 ACCPTED  2020-08-09 08:49:26

Yes it can indeed override the policy, but only where it uses a Deny. If it includes an Allow but the IAM policy includes a Deny this will not evaluate as Allow.

For your policy to deny all actions inside the S3 bucket the resource in the bucket policy should include the following:

  • arn:aws:s3:::ananda-demo-bucket-1
  • arn:aws:s3:::ananda-demo-bucket-1/*

By doing this with a principal of * you would be denying access to everything, so you would no longer be able to interact with this S3 bucket from any resource (including the console), you should be aware of this before making such a large change. Try limiting the actions that you are denying so that management of the S3 bucket can still be used in the console.

To generalise policy evaluation logic in any permissions evaluation if there is any deny from one of the following the action will be deny:

  • Service Control Policy
  • IAM Boundary
  • Resource Policy
  • IAM Policy

The full evaluation flow looks like the below

在此处输入图像描述

For more information take a look at the Policy Evaluation Logic page in the AWS documentation.

solution2
 0  2020-08-09 09:09:10

Some commands operate at the bucket-level , while others operate at the object-level .

Try this:

      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
         "arn:aws:s3:::ananda-demo-bucket-1",
         "arn:aws:s3:::ananda-demo-bucket-1/*",
      ]
      "Principal": "*"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IAM policy on S3 bucket Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy? Permission denied for IAM policy to S3 bucket S3 bucket encryption restriction in IAM policy S3 Bucket Policy and IAM Role Conflicting AWS: How to update an existing S3 bucket-policy via CloudFormation? IAM Policy and S3 Policy Setting IAM Policy on AWS S3 Bucket (allow change ACL) Update IAM policy for S3 bucket using cloudformation IAM Policy to list specific folders inside a S3 bucket for an user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM