3

I've a bucket with GetObject available to everyone on full bucket(*). I want to make a few objects private(through Object level operation ACL), i.e. only the bucket owner should have read access to the object. I've gone through all available documentation, but couldn't find any possible way. Can anyone confirm is this possible or not?

user3275863
  • 65
  • 1
  • 6
  • 1
    Once a bucket is made public, all content is public. A simple solution would to create another bucket which contains the private data. Then create a new security policy (and group) which allows read permissions and only assign the group/policy to the users who need access to the private data. – Randy B. Dec 12 '17 at 05:10
  • "Once a bucket is made public, all content is public." I wanted confirmation on this as I couldn't find this explicitly in documentation. Thank you. I was also thinking of the solution you have suggested, but wanted to confirm if it was possible with bucket policy being just public on all. – user3275863 Dec 13 '17 at 04:20

1 Answers1

2

You cannot use S3 Object ACLs because ACLs do not have a DENY.

You can modify your S3 policy to specify objects and deny access to individual items.

Example S3 Policy (notice that this policy forbids access to everyone for GetObject for two files):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "DenyPublicReadGetObject",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::mybucket/block_this_file",
                "arn:aws:s3:::mybucket/block_this_file_too"
            ]
        }
    ]
}

If you want to add a condition so that certain users can still access the objects, add a condition after the Resource section like this. This condition will allow IAM users john.wayne and bob.hope to still call GetObject.

        "Resource": [
            "arn:aws:s3:::mybucket/block_this_file",
            "arn:aws:s3:::mybucket/block_this_file_too"
        ],
        "Condition": {
            "StringNotEquals": {
                "aws:username": [
                    "john.wayne",
                    "bob.hope"
                ]
            }
        }
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Just be careful... adding the DENY might also prevent the bucket owner from accessing the object too! – John Rotenstein Dec 12 '17 at 06:40
  • 1
    @JohnRotenstein. This first example does deny the owner, so I included a note about everybody. The second example shows how to create a condition to allow GetObject for specified users e.g. don't deny for them. – John Hanley Dec 12 '17 at 06:47