Reputation: 31
AWS IAM Policy: Restrict Bucket/Folder Access By User/Role?
I'm trying to restrict Users by role to access only particular folders within an S3 bucket. The bucket is configured as "mock mountable" so to speak so that we can use it for file sharing as if it were a more traditional server. Each user is using CloudBerry to access S3 remotely.
Here's my current (broken) policy, and bucket name is "bluebolt".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanySharedAndPAndP",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Production and Processing/",
"Production and Processing/${aws:username}",
"Company Shared/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfCompanyShared",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Company Shared/*"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Production and Processing/${aws:username}/",
"Production and Processing/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsCompanyShared",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:username}/*"
]
},
{
"Sid": "DenyAllS3ActionsInManagement",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Management/*"
]
}
]
}
So, what I want to do is to restrict users to list/read/write only what is in "/Production and Processing/[UserName]", along with being able to list/read everything in "/Company Shared" while specifically prohibiting all access to "/Management" as well as everything in "/Production and Processing/*" except their user folder. Ideally a user would only see "/Company Shared" and "/Production and Processing" in bluebolt, and once they get into "/Production and Processing", they'd only see their user-named folder which is their workspace.
Right now, I am getting sporadic access by users ("You do not have permission to access") once they dig below the bluebolt top level bucket.
I don't know if this use case is common or if I'm trying to fit too-square a peg into a round hole, but any feedback/tips/similar policy applications/harsh criticism is welcome and greatly appreciated!
Upvotes: 0
Views: 779
Answers (2)
Reputation: 31
Here's the code I got to work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"*",
"bluebolt/Company Shared/*",
"bluebolt/Production and Processing/*",
"bluebolt/Production and Processing/${aws:userName}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:userName}/*"
]
},
{
"Sid": "AllowCertainS3ActionsInCompanyShared",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
}
]
}
Upvotes: 0
Reputation: 5887
IAM policy variables with federated users
${aws:userName} policy variable will not work for roles. Use the ${aws:userID} policy variable instead of the ${aws:userName} policy variable.
${aws:userid} variable will be "ROLEID:caller-specified-name".
I used the same policy with aws:userid and a role.
Get Role ID.
iam get-role --role-name Arsenal-role --query Role.RoleId AROAXXT2NJT7D3SIQN7Z6Ask your users upload into
Bucket/Prefix/<RoleID:SessionName>/aws s3 cp test.txt 's3://mydemo/Production and Processing/AROAXXT2NJT7D3SIQN7Z6:john/' --profile s3role upload: ./test.txt to s3://mydemo/Production and Processing/AROAXX2NJT7D3SIQN7Z6:john/test.txt aws s3 cp test.txt 's3://mydemo/Management/' --profile s3role upload failed: ./test.txt to s3://mydemo/Management/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied aws s3 cp test.txt 's3://mydemo/Production and Processing/' --profile s3role upload failed: ./test.txt to s3://mydemo/Production and Processing An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Upvotes: 1
Related Questions
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- Amazon S3 bucket policy deny to a iam user
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- AWS policy to allow access only to a specific bucket folder
- AWS S3 & IAM - Define policy where user have only access (read) to certain folders
- Full access to AWS S3 bucket for all operations except for 1 folder
- Restrict user access to Single S3 Bucket using Amazon IAM?
- How do I limit access to S3 Bucket for particular IAM Role?
- How to set up S3 Policies for multiple IAM users such that each individual only has access to their personal bucket folder?
- Amazon S3 Bucket and Folder Policy for IAM access?