CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-ec2aws-java-sdk
Vatsal Rahul
Vatsal Rahul

Reputation: 367

How to restrict users to create a public S3 object into a private bucket

I have created an Amazon S3 bucket which is private in nature but I don't want my users to create any public object inside that bucket. How should I do that through an S3 policy of that bucket? I tried but I am getting an error that the policy has an invalid resource.

{
    "Version": "2012-10-17",
    "Statement": [

        {
            "Sid": "DenyPublicReadGetObject",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
               " arn:aws:s3:::aws-my-bucket-s3-vk/*"
            ]
        }
    ]
}

Users should be able to access the bucket and create new object/get the object from inside an EC2 instance with necessary permissions.

On the S3 console, after the bucket name there is access column which should come "bucket and object cannot be public".

Upvotes: 0

Views: 1453

Answers (2)

jarmod
jarmod

Reputation: 78733

You should enable Block Public Access on the S3 bucket. This will prevent anyone making objects public in that bucket. You should also restrict which IAM users/roles/policies have permission to modify the Block Public Access settings.

Amazon S3 block public access settings will override S3 bucket policies and object-level permissions to prevent public access.

Upvotes: 1

John Rotenstein
John Rotenstein

Reputation: 269520

All Amazon S3 buckets are private by default. Nobody can access/use the buckets or its contents unless they have been granted permission via an IAM Policy, Bucket Policy or object-level permission.

It appears that you want a particular Amazon EC2 instance to be able to use the bucket. Therefore:

  • Create an IAM Role
  • Grant the desired permissions to the IAM Role (eg PutObject and GetObject on that bucket)
  • Assign the IAM Role to the Amazon EC2 instance
  • Applications on the EC2 instance will then be able to access the bucket

There is no need to use the Deny policy. It will always override other policies. It is better to use Allow policies to grant access, but only to the desired entities.

Here are some policy examples: User Policy Examples - Amazon Simple Storage Service

Upvotes: 1

Related Questions