Reputation: 1016
Deny Amazon S3 buckets and objects from being public
I am trying to write bucket policies to deny public access to buckets and objects using the AWS's defense-in-depth methodology as per How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data | AWS Security Blog.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnSecureCommunications",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ironman111",
"arn:aws:s3:::ironman111/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyPublicReadACL",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read",
"public-read-write",
"authenticated-read"
]
}
}
},
{
"Sid": "DenyPublicReadGrant",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringLike": {
"s3:x-amz-grant-read": [
"*http://acs.amazonaws.com/groups/global/AllUsers*",
"*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
]
}
}
},,
{
"Sid": "DenyPublicListACL",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read",
"public-read-write",
"authenticated-read"
]
}
}
},
{
"Sid": "DenyPublicListGrant",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringLike": {
"s3:x-amz-grant-read": [
"*http://acs.amazonaws.com/groups/global/AllUsers*",
"*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
]
}
}
}
]
}
However I don't see this above policy restricting me from making the bucket or object public or its ACLs public read/write.
I have later added the following to the policy. In this case, the resources are private but now I am restricted from sharing S3 buckets between accounts.
{
"Sid": "DenyAuthenticatedUsersAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::ironman111/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "private"
}
}
},
{
"Sid": "DenyAuthenticatedUsersAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::ironman111",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "private"
}
}
},
Please suggest what is wrong in the first policy.
I am unable to use IAM policy validator as it is a bucket policy. Also, I am unable to test cross-account as I do not have another canonical id.
Why does order matter in the resources array?
Updated:
I have added the following policy to the IAM user and it is still allowing the creation of a bucket with public access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"s3:CreateBucket",
"s3:PutBucketAcl"
],
"Resource": "*",
"Condition": {
"StringLike": {
"s3:x-amz-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}
I need the policies to stop buckets from being public.
Upvotes: 0
Views: 1735
Answers (1)
Reputation: 270154
The first policy is Denying the ability to upload objects with an Access Control List that will make the objects public.
You are correct that the policy will not stop you "from making the bucket or object public or its ACLs public read/write". Rather, it is preventing files being stored as public objects in the first place.
You, as an administrator, could certainly add a Bucket Policy that then makes the whole bucket public. But that is not what the policy is trying to prevent.
Upvotes: 1
Related Questions
- How to make all Objects in AWS S3 bucket public by default?
- Turning off public access to AWS S3 bucket
- Block S3 public access at account level
- How to keep S3 bucket permissions public
- Protect s3 Object from Public
- What is best way to deny creation of public S3 buckets?
- Block all objects' public access in S3 by CLI
- I want to block public access to my S3 bucket, but give read only access to its object
- Restrict S3-bucket from being changed to public?
- Amazon S3 bucket policy for public restrictions only