Deny anonymous downloads in AWS S3

Question

I have a bucket with several files publicly downloadable. I want to put up a bucket policy after which these files should only be downloadable by my IAM users. The policy I have got so far is this:

{
    "Version": "2008-10-17",
    "Id": "Policy1424952346041",
    "Statement": [
        {
            "Sid": "Stmt1424958477350",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::777777777777:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        },
        {
            "Sid": "Stmt1424958477351",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::777777777777:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

However, it is denying everyone including the IAM users. Can anyone please point out what is wrong here?

Try giving them access to `"Resource": "arn:aws:s3:::test"` as well as `"Resource": "arn:aws:s3:::test/*"` then so they can list the contents of the bucket. — ceejayoz, Feb 26 '15 at 15:12

score 2 · Answer 1 · answered Apr 14 '15 at 20:10

Depending on how many IAM users you have in the account, you can specify the accounts in both statements as follows (try one or two just as a test to see if it works). I've had issues in the past with getting arn:aws:iam::XXXXXXXXXXXX:root to actually cover all IAM accounts. You could also try just specifying the IAM users and remove the root entry.

{
    "Version": "2008-10-17",
    "Id": "Policy1424952346041",
    "Statement": [
        {
            "Sid": "Stmt1424958477350",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                        "arn:aws:iam::777777777777:root",
                        "arn:aws:iam::777777777777:user/user1", 
                        "arn:aws:iam::777777777777:user/user2" ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        },
        {
            "Sid": "Stmt1424958477351",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                        "arn:aws:iam::777777777777:root",
                        "arn:aws:iam::777777777777:user/user1",
                        "arn:aws:iam::777777777777:user/user2" ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

Deny anonymous downloads in AWS S3

1 Answers1