CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
lft93ryt
lft93ryt

Reputation: 1016

Restrict bucket creation to an region

I want to restrict the user from creating the Amazon S3 buckets in a particular region. I wrote a policy like below and attached to the user. But it denies the user from creating any bucket.

Please help. The other Statements are written to see if the buckets are created. Unfortunately, we cannot restrict the user from listing the buckets.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "RegionSpecificS3BucketCreation",
        "Effect": "Allow",
        "Action": "s3:CreateBucket",
        "Resource": "arn:aws:s3:::*",
        "Condition": {
            "StringLike": {
                "s3:LocationConstraint": "us-east-1"
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:HeadBucket"
        ],
        "Resource": "*"
    }
]
}

Upvotes: 1

Views: 663

Answers (2)

Ankur Chourasiya
Ankur Chourasiya

Reputation: 21

I used the below policy to restrict the bucket creation in all region then us-east-1 and ap-south-1. Rather than using the "Allow" effect I applied a "Deny" effect for all S3 actions and added and exception for required regions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "ap-south-1"
                    ]
                }
            }
        }
    ]
}

Upvotes: 2

Michael - sqlbot
Michael - sqlbot

Reputation: 179064

us-east-1 is a special case. That is the original S3 region and for backwards compatibility buckets in that region do not actually have a location constraint declared. They are still constrained to us-east-1 (the data remains in that region) but you create buckets in us-east-1 by not specifying a location constraint at the API level.

I suspect that the correct condition test for that specific region would be this:

    "Condition": {
        "StringLikeIfExists": {
            "s3:LocationConstraint": ""
        }
    }

That is, if the string is present at all, it must be an empty string.

For all other regions, what you are doing should work fine.

Upvotes: 3

Related Questions