CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iam
Bosh
Bosh

Reputation: 8748

Some "Condition"s disallowed in AWS S3 Bucket Policies?

I'd like to define an S3 bucket-level policy that restricts access to specific users (e.g. using Cognito ids). Why can't a Condition block like the following be used in a Bucket policy?

{  
   "Statement":[  
      {  
         "Effect":"Allow",
         "Principal": "*",
         "Condition": {  
            "StringEquals":{  
               "cognito-identity.amazonaws.com:aud":[  
                  "us-east-1:12345678-abcd-abcd-abcd-123456790ab",
                  "us-east-1:98765432-dcba-dcba-dcba-123456790ab"
               ]
            }
         },
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:::my-bucket-name"
      }
   ]
}

When I try, I get the errror:
Policy has an invalid condition key - cognito-identity.amazonaws.com:aud

But this block works fine (minus the Principal) in a user-level policy. I'm trying to understand what the rules are, so I don't have to blindly attempt to make changes and "see what works".

To be can refer to ${cognito-identity.amazonaws.com:sub} from a bucket policy (e.g. inside of a resource URL); but I can't us it as a condition key (as in the example above).

So: are the rules for bucket policies different from other policies? Is this documented somewhere? I'd especially love a pointer to an authoritative source here, because I suspect I may be missing some important documentation.

Upvotes: 1

Views: 1411

Answers (1)

fmog
fmog

Reputation: 186

it seems like you can't add a cognito-id based condition in bucket level policy however this can be achieved by adding a policy to your identity pools auth role.

Assume that you want every user in an identity pool to be able to read the contents of a bucked but only specific users to write. This can be achived by following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:sub": [
                        "<cognito id1>",
                        "<conito id2>"
                    ]
                }
            }
        }
    ]
}

Upvotes: 1

Related Questions