Reputation: 403
Can an AWS S3 bucket policy be used to restrict different access types to different users
I have an AWS S3 bucket, let's call it 'mybucket', and a bunch of AWS IAM users, one of which, let's say 'alice', should be able to do anything to 'mybucket', while other AWS IAM users should just be able to list contents and get objects in 'mybucket'.
I've set up a bucket policy like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow 'alice' user complete access.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/alice"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
},
{
"Sid": "Allow all other users read access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
With this policy, I can still write to 'mybucket'. I even removed the second statement object, and get the same results.
Is this the correct approach to achieving what I want to achieve? If so, what is the problem with my bucket policy? If not, what approach should I pursue?
Many thanks!
Upvotes: 0
Views: 300
Answers (1)
Reputation: 269520
Amazon S3 bucket policies are generally used to grant access to everybody (eg public users).
If you wish to grant specific permissions to particular IAM Users, then it is better to add the policy directly to the IAM User or Group.
For example, add this policy to the alice IAM User to allow her to run any API command on both the bucket and the objects within the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
You'll notice that there is no Principal field, because it automatically applies to the User on whom this policy is placed.
When Amazon S3 evaluates permissions, it looks at both the Bucket Policy and any policies associated with the User. Either can grant access.
Upvotes: 1
Related Questions
- Is there an S3 policy for limiting access to only see/access one bucket?
- AWS S3 deny all access except for 1 user - bucket policy
- S3 bucket access restriction with bucket policy
- Is it possible to restrict access to some folders in a single aws s3 bucket to different users?
- S3 Bucket Policy to Allow access to specific users and restrict all
- Restrict user access to Single S3 Bucket using Amazon IAM?
- Amazon S3 Bucket policy to allow user to write to the bucket but that bucket only
- Restrict List of Buckets for a Specific User
- S3 bucket policy via a particular application
- AWS S3: user policy for specifc bucket