0

I'm trying to restrict access to a set of buckets using boto3.

Consider that I'm dealing with around 200 buckets and that I have to create a rollback solution to undo the changes that I will make in case it affects a critical bucket.

My plan so far is:

  1. Get the bucket policies and store them in a log file.
  2. Use boto3 to iterate over the buckets, changing their policies to deny all access, except to me.
  3. In case someone asks to undo the change to a certain bucket, use bucket_policy.put() to reinsert the policy stored in step 1.

Is that the best way to go?

If so, what is the specific Bucket Policy that denies access to everyone except me?

Kaio H. Cunha
  • 211
  • 2
  • 10
  • Why do this at all? If no-one else should have S3 permissions then their IAM users/roles policies should not give them S3 permissions. Those users are typically not getting their permissions from a bucket policy; they're getting it from an IAM policy (unless you have done something odd and are managing all S3 access through bucket policies, which would be bad). – jarmod Feb 15 '22 at 00:58
  • Abandoned buckets cleanup. Before actually deleting them, it's good to only restrict to check if something important is affected. – Kaio H. Cunha Feb 15 '22 at 00:59
  • just dont allow that iam user to do anything with bucket which means don't give them permission. – Jatin Mehrotra Feb 15 '22 at 01:00
  • If you're trying to understand who/what is using these buckets then disabling access and waiting to see who shouts doesn't sound ideal. You can use S3 access logs, for example. – jarmod Feb 15 '22 at 01:02
  • I already know who the owners are. That's not the problem. These buckets are going to be deleted on a schedule. Before this definitive solution, I just want to restrict their access without locking myself out and having a rollback solution. Why? As you said, see who shouts. – Kaio H. Cunha Feb 15 '22 at 01:05
  • 1
    You'll need to be careful not to block everyone including yourself (which will then require root access to resolve). Ideas for how to [restrict S3 access to certain IAM principals](https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/). A safer option might be to add an explicit deny for s3:* on each named bucket to the IAM users and roles that you want to test this blocking against (rather than do it from the S3 bucket policy), or restrict their S3 actions to an explicit list of S3 buckets). – jarmod Feb 15 '22 at 01:10
  • These are some good ideas. Thanks! – Kaio H. Cunha Feb 15 '22 at 01:15
  • 1
    Be careful adding a Deny policy for `s3:*` on a bucket, because you could lock-out your own ability to revert or change the Bucket Policy. Instead, you could add a Deny policy to prevent `s3:GetObject`. This will stop users being able to access the objects, but will not stop your ability to edit the Bucket Policy to restore access. – John Rotenstein Feb 15 '22 at 02:37
  • You're right. I didn't notice, but I only want them not to access the buckets. s3:GetObject is enough. Thanks! – Kaio H. Cunha Feb 15 '22 at 12:34

0 Answers0