7

I searched through existing questions and couldnt find an answer. Hence posting here.

I want to restrict access to a S3 bucket to all users except select few users using S3 Bucket policy. I understand IAM policy is easy to manage and administer, i dont like to create roles and groups for this specific case and want S3 bucket policy created.

Here is what i have tried so far and it is not restricting access to users as expected.

{
  "Version": "2012-10-17",
  "Id": "bucketPolicy",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/allowedusername"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    },
    {

      "Effect": "Deny",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/denieduser"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    }

  ]
}

I tried to deny all like below but that explicit deny took precedence over allow and i myself am not able to access the bucket now ;-( Thats another issue i have

{

          "Effect": "Deny",
          "Principal": {
            "AWS": ["*"]
          },
          "Action": "s3:*",
          "Resource": ["arn:aws:s3:::examplebucket",
                       "arn:aws:s3:::examplebucket/*"]
        }
rocky
  • 163
  • 1
  • 2
  • 8

1 Answers1

9

To achieve what you want, use an explicit deny with a NotPrincipal policy element. The policy below will ensure no other user can access the buckets other than the users listed in the NotPrincipal element:

{
        "Id": "bucketPolicy",
        "Statement": [
                {
                        "Action": "s3:*",
                        "Effect": "Deny",
                        "NotPrincipal": {
                                "AWS": [
                                        "arn:aws:iam::1234567890:user/alloweduser"
                                ]
                        },
                        "Resource": [
                                "arn:aws:s3:::examplebucket",
                                "arn:aws:s3:::examplebucket/*"
                        ]
                }
        ],
        "Version": "2012-10-17"
}
alecxe
  • 462,703
  • 120
  • 1,088
  • 1,195
excessivedemon
  • 91
  • 1
  • 2
  • 2
    I get the following error: ```This policy contains the following error: Has prohibited field Id For more information about the IAM policy grammar, see AWS IAM Policies.``` – lft93ryt Oct 15 '17 at 17:19
  • 2
    @excessivedemon What if any AWS service wants to access this bucket? i.e EMR or redshift. – ImPurshu Apr 25 '19 at 11:02
  • Same question as @ImPurshu , what if in the same time we want other services to access the bucket ? – user1297406 Aug 05 '19 at 08:00
  • where do we add the above policy? you can't add principal policies in the Policies section, or attached to users. Do you add it to the bucket? if so, how? – clg4 Aug 11 '20 at 21:51