1

at the moment I'm struggling how to create a secure policy for my Amazon S3 bucket. My plan is to have one bucket with several sub-folders for separate (IAM) users. Access should only be programmatically with access-ID and secret key, not via console.

Conditions:

Each user should only have access to his own folder and should not see the other folders in the bucket.

Each user should only have the right to PutObject (store), GetObject (download), DeleteObject (delete) inside his folder.

Users should not be allowed to do anything else like creating own buckets; the stricter the better.

FYI:

The folders are meant for storage of each users system backups and personal data, so it's crucial that no other user can see what's inside an other user's folder.

  • I found the following policy at Amazon but I'm not sure if this policy is strict enough to secure and restrict access like mentioned above.

  • And is "ListAllMyBuckets" really necessary or poses chances that every user could also see other buckets in my account like this example says?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "home/",
                        "home/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion"
         ],
            "Resource": [
                "arn:aws:s3:::bucket-name/home/${aws:username}",
                "arn:aws:s3:::bucket-name/home/${aws:username}/*"
            ]
        }
    ]
}

I'm quite new to AWS S3, so any help regarding my problem would be greatly appreciated.

Thanks!

keitaro.urashima
  • 11
  • 2

1 Answers1

0

This is a classic AWS exam question. The AWS policy is good and sufficiently secure for most uses. To answer your questions:

  • "ListAllMyBuckets" is needed if users use an S3 browser, without this they can't view a list of buckets they can access. Doesn't matter if someone knows your bucket names if they're properly secured.
  • "GetBucketLocation" is probably needed for a similar reason, with similar notes.
  • "ListBucket" allows users to list the root of the bucket, the home folder, and their folder within home, but not list other users buckets. They can see other users names
  • The last clause with PutObject / GetObject / DeleteObject plus the same calls with "version" on the end are what lets a user store, retrieve and delete objects including versioned objects.
Tim
  • 31,888
  • 7
  • 52
  • 78