CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iamcontent-security-policy
Meltemi
Meltemi

Reputation: 38359

How to merge AWS S3 bucket policies?

We have an existing S3 bucket policy in production:

{
    "Version": "2012-10-17",
    "Id": "Policy[redacted]",
    "Statement": [
        {
            "Sid": "ServiceA access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[redacted]:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mysite-production/*"
        },
        {
            "Sid": "ServiceA access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[redacted]:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mysite-production"
        },
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mysite-production/*"
        }
    ]
}

We have another 3rd party service we want to grant access which requires:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
             ],
             "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

I've tried merging the ListAllMyBuckets and GetBucketLocation into the final section of our original policy but that yields "Policy has invalid action" errors:

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource": "arn:aws:s3:::mysite-production/*"
    }

How can I merge these into one cohesive policy? Or is it possible for a bucket to have two policies?

Thanks in advance!

Upvotes: 1

Views: 1729

Answers (1)

Jorge Garcia
Jorge Garcia

Reputation: 2580

You can actually apply both IAM policies and S3 bucket policies simultaneously, with the ultimate authorization being the least-privilege union of all the permissions.

Source: https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Upvotes: 2

Related Questions