2

Is there a way to specify a bucket creation policy so that the a user with the assigned role can only create buckets with a specified name pattern such as company-dbbackup-* and no other name patterns?

For example, the user would be allowed to create bucket with names company-dbbackup-March2017 and company-dbbackup-fullarchive but not test-bucketname-invalid.

What I have right now:

{
    "Sid": "Stmt1493212897117",
    "Action": [
        "s3:CreateBucket",
        "s3:ListAllMyBuckets"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::*"
}

But this allows me to create buckets with any name.

ysalmi
  • 529
  • 4
  • 16

1 Answers1

6

It turns out to be relatively simple (unless I've overlooked something). I simply have split the permissions as follows:

{
    "Sid": "RestrictCreationToNamePolicy",
    "Action": [
        "s3:CreateBucket"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::company-dbbackup-*"
}

{
    "Sid": "AllowListingOfBuckets",
    "Action": [
        "s3:ListAllMyBuckets"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::*"
}

I haven't found a way to restrict listing only buckets with the naming policy. If I restrict the second statement to the resource arn:aws:s3:::company-dbbackup-*, I get an Access Denied when trying to list buckets.

EDIT: Apparently restricting the listing is not possible, here's a good Stack Overflow answer with possible workarounds. Here's also another good discussion.

Community
  • 1
  • 1
ysalmi
  • 529
  • 4
  • 16
  • Do you know if this is still true? I have not been able to restrict the create bucket options but I have been able to restrict the put and list buckets by wildcard as you show above. – Robel Robel Lingstuyl Jul 03 '22 at 22:59
  • Sorry I don't know if this still works as expected. Not currently touching AWS much these days. – ysalmi Jul 05 '22 at 07:08