7

I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.

Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.

Or should I with each bucket add new ARN to the policy?

Again, I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.

starball
  • 20,030
  • 7
  • 43
  • 238
JackLeo
  • 4,579
  • 9
  • 40
  • 66

2 Answers2

10

An IAM policy can grant access to Amazon S3 buckets based on a wildcard.

For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SomeSID",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::assets-*",
        "arn:aws:s3:::assets-*/*"
      ]
    }
  ]
}

Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).

Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record

It is not possible to grant access to Amazon S3 buckets based on Tags.

ARN format

As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:

arn:aws:<service name>:<region>:<account>:<resource>

In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • `ListBucket` Requires access to `` wheres `GetObject` requires `/*`. Shouldn't there be 2 rules with separated access? Or it's not considered a good practice? – JackLeo Nov 27 '14 at 11:36
  • The above example combines them both, but they can be listed as separate rules (one for the bucket, one for the bucket contents). – John Rotenstein Nov 27 '14 at 18:09
2

Yes indeed it appears I can use IAM policy with ARN arn:aws:s3:::assets-* and arn:aws:s3:::assets-*/*

JackLeo
  • 4,579
  • 9
  • 40
  • 66
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. – thomasfedb Nov 26 '14 at 13:26
  • @thomasfedb, this appears to be a self-answer. – gunr2171 Nov 26 '14 at 14:04
  • Good point, missed that. In any case, a more detailed self-answer would be nice. – thomasfedb Nov 26 '14 at 14:10
  • 1
    I agree, thus I did not accept my own answer. It's the bare bones result I found that works and I ended up using for now. I have no info about using tags or using more complicated regex in ARN. – JackLeo Nov 26 '14 at 17:29