CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
lonewarrior556
lonewarrior556

Reputation: 4479

AWS Bucket Policy, IS it secure to deny by username?

So I have about 50 buckets and 15 users in AWS IAM. I wanted to have a very secret bucket that only allows access to a single IAM user called 'only-allowed-user' So I came up with this policy,

{
    "Version": "2012-10-17",
    "Id": "Policy19",
    "Statement": [
        {
            "Sid": "Stmt14",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::s3-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:username": "only-allowed-user"
                }
            }
        }
    ]
}

Also no non-admin users can edit bucket policies.

It definitely works with our 15 users so far. 14 are denied and 'only-allowed-user' has access (including api calls). However I did not see anyone mention that this was an option or a good idea to do it this way, Is there a way around this security either internally (by the 14 other users that don't have admin rights) or externally?

Upvotes: 0

Views: 286

Answers (1)

Matt Houser
Matt Houser

Reputation: 36073

Using the username condition limits access to the bucket from anyone that is not using a user with a specified username.

However, there's nothing in your policy that's denying access to users from another AWS account that's using the same username. So if there exists a policy allowing another AWS account access to your bucket, then a user with the same username can get access.

What you have may be sufficient, because by default, this hypothetical other policy does not exist. But the future may change things.

Better may be to directly specify your specific user using the NotPrincipal element of the statement:

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#NotPrincipal

{
    "Version": "2012-10-17",
    "Id": "Policy19",
    "Statement": [
        {
            "Sid": "Stmt14",
            "Effect": "Deny",
            "NotPrincipal": [
                 "arn:aws:iam::<your account number>:user/your-allowed-user"
            ],
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::s3-bucket/*"
        }
    ]
}

By using the principal ARN, you're specifically allowing the user in the specific AWS account.

Upvotes: 1

Related Questions