Reputation: 11
How to write s3 conditional bucket policy with several logical "OR"?
I'm setting a public S3-based website and I want to deny direct access to my s3 bucket for the users beyond my CloudFront distribution. At the same time I want to be able to directly access s3 content by myself (admin). Also I would like to allow CodeBuild Service to Access the same bucket.
Amazon suggests to "add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.":
But if I add an Explicit Deny part:
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
I'm loosing the opportunity for myself to upload files directly to the s3 bucket, also CodeBuild Service will not be able to do anything with my bucket as well.
How can I implement Conditions in my bucket policy in oder to deny access:
ONLY IF
("StringNotLike": {"aws:Referer": "https://www.example.com"})
OR
("StringNotLike": {"aws:userid": "my root user id"})
OR
(my bucket is not requested by CodeBuild Service)
Upvotes: 1
Views: 1358
Answers (1)
Reputation: 269826
By default, there is no access to objects stored in Amazon S3. Therefore, you should grant access via Allow permissions. Anything not Allowed is thus denied.
- Add a Bucket Policy that permits action via the CloudFront Origin Access Identity
- CodeBuild appears to use permissions of the IAM User that is using CodeBuild, so assign the permissions to those IAM Users (I looked at the documentation and it didn't mention the use of service-linked roles, but I might be wrong here)
- To allow you to the bucket, add permissions to your IAM User
None of the above requires the use of a Deny policy.
See: Restricting Access to Amazon S3 Content by Using an Origin Access Identity - Amazon CloudFront
Upvotes: 1
Related Questions
- How to provide multiple StringNotEquals conditions in AWS policy?
- AWS S3 bucket policy with condition
- S3 bucket policy multiple conditions
- AWS s3 bucket multiple StringEquals conditions policy
- How to solve conditions do not apply to combination of actions and resources in statement?
- S3 bucket policy error "Conditions do not apply to combination of actions and resources in statement"
- Condition in a bucket policy to only allow specific service
- Adding custom condition in S3 bucket policy
- How do I do an OR condition in an S3 bucket policy?
- How can i change policy condition in Amazon S3 for a Bucket