AWS S3 bucket policy to deny everything to everyone except for one IAM user?

Question

I have a small node application which resizes an image locally then sends it off to my S3 bucket. The issue is that I want to only accept image upload by a specific IAM user. I've tried all combinations of bucket policies and none of them seem to work. They either completely disable upload, or allow it for anyone. I'm slowly losing my mind with how bad the policies approach is when you can't achieve something this simple.

Any help?

Answer 1

To manage resource access within AWS the recommendation is to use IAM roles, not users (especially when used directly instead of within a group), so any user/application/service can assume that role when needed. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Still, if that is what you want, a policy that should work is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::IdOfYourAWSAccount:user/NameOfYourUser",
                "arn:aws:iam::IdOfYourAWSAccount:root"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::YourBucket",
                   "arn:aws:s3:::YourBucket/*"]
    }
  ]
}

Answer 2

By default, buckets are private. This is good, since nobody has permission to upload or download to it.

Since you wish to grant access to a specific IAM user, you should add a policy to the IAM User rather than a Bucket Policy. So, keep the Bucket Policy empty .

You would add a policy like this to your IAM User:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::BUCKETNAME/*"
    }
  ]
}

This allows them to upload objects ( PutObject ) to the bucket.

Answer 3

So it turns out that the AWS-SDK was automatically sending off my saved IAM user credentials from my pc even though I did not write it in my code. That's why I was able to keep uploading to my bucket even though I did not pass any credentials in my code. The credentials were stored in the.aws folder found at "C:\Users\User.aws". I simply renamed the 2 files, and finally everything made sense. Turns out my bucket policies were working correctly the entire time, it's just that I was always sending credentials which verified me as an IAM user who was allowed to use that bucket. I believe the credentials were stored after using CLI to log in on this pc at one point.

Why it works this way, that's another topic I guess...

TLDR: If it seems like you're able to interact with your private bucket whilst not sending any credentials using AWS-SDK, check.aws folder "C:\Users\User.aws" for possible saved credentials.