How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS?
Question
I want to create an s3 bucket policy that only the Root Account can have full access, how can I do that?
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow full access for root account user",
"Effect": "Allow",
"Principal": {
"AWS": "root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ih-deploy-bucket/*",
"arn:aws:s3:::ih-deploy-bucket"
]
}
]
}
Or adding a Condition Like
"Condition": {
"StringEquals" : {"aws:username" : "rootUser"}
}
3 answers
solution1
4 ACCPTED 2020-10-09 21:31:58
This is one of the very few (if not the only) usecase for an explicit Deny with a NotPrincipal :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::<your-account-number>:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ih-deploy-bucket/*",
"arn:aws:s3:::ih-deploy-bucket"
]
}
]
}
This will explicitly deny all principals that are not (and not only ) the root account user, including IAM users, assumed role sessions and federated users in that account. And since the root user always has explicit Allows for all actions on all resources, an actual Allow is given by the root user's identity-based permissions, so the root user will have access to that bucket.
The reason why this works is that a caller identity working in your account has always multiple principals simultaneously, which are being evaluated by IAM for a policy statement:
- the account principal
arn:aws:iam::<your-account-number>:root - the user, assumed role or federated user principal
In the case of an explicit Allow if you only used the root account principal in a Principal rule in a policy statement, then any user in that account will match the allow and will be given access, since the account principal is always part of a user's principal list in that account.
However, in the case of a Deny with a NotPrincipal , things are a bit different. Here, the list of NotPrincipal s must whitelist all principals of the caller's identity to be not denied.
This fact somewhat shines through in the AWS documentation about NotPrincipal : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
When you use NotPrincipal with Deny, you must also specify the account ARN of the not-denied principal. Otherwise, the policy might deny access to the entire account containing the principal. Depending on the service that you include in your policy, AWS might validate the account first and then the user. If an assumed-role user (someone who is using a role) is being evaluated, AWS might validate the account first, then the role, and then the assumed-role user.
solution2
0 2020-10-09 20:33:20
"AWS": "root"
应该改为
"AWS": "arn:aws:iam::<your-account-number>:root"
solution3
-1 2020-10-13 15:29:40
Like httpdigest said in this answer, the root user always has explicit Allows for all actions on all resources.
So what I blocked all permissions to all others users that are not in condition. And the root user has always access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Block all user not in condition, but the root has permission",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "175.222.100.192"
},
"StringNotEquals": {
"aws:username": "user1"
}
}
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.