Reputation: 3590
How to restrict access to an AWS S3 bucket only to a specific role?
In my AWS project, I have a lambda function, called by an API in API Gateway, that gets a file in a S3 bucket.
I try to secure my S3 bucket as much as possible, and after reading this and this, here is what I did in my CloudFormation template:
- in the policy of the IAM role of the API:
- Effect: 'Allow'
Action:
- "s3:GetObject"
Resource: 'arn:aws:s3:::exampleS3Bucket/*'
- and in the policy of my S3 bucket:
- Effect: "Deny"
Action:
- "s3:*"
Principal: "*"
Resource:
- 'arn:aws:s3:::exampleS3Bucket'
- 'arn:aws:s3:::exampleS3Bucket/*'
Condition:
StringNotLike:
aws:userId:
- "<API_IAM_ROLE_ID>"
According to the documentation, you can retrieve the API_IAM_ROLE_ID by calling the following AWS CLI command: aws iam get-role --role-name <YOUR_IAM_ROLE>.
But I face two issues:
- it doesn't work, I still have an
Access Deniederror - even if it works, it does not look like a clean solution, especially if I want to deal with multiple environments (dev, staging, prod...)
EDIT
I also tried the following S3 bucket policy:
- Effect: "Deny"
Action:
- "s3:*"
NotPrincipal:
AWS:
- "arn:aws:iam::123456789012:root"
- "arn:aws:iam::123456789012:role/my-api-role"
Resource:
- 'arn:aws:s3:::exampleS3Bucket'
- 'arn:aws:s3:::exampleS3Bucket/*'
But when I call my API, that calls a lambda that calls S3.GetObject(), I still have an "Access Denied" exception.
How can I fix that?
Thanks.
Upvotes: 0
Views: 1023
Answers (2)
Reputation: 8593
this is how i did it recently.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"ACCOUNT NUMBER"
]
}
}
}
]
}
this is how it works.
- Allow: the user's IAM policy allows access to S3 bucket
- Deny: bucket policy is used to deny access to all the users except the user id of the role.
to get the user id of the role:
aws iam get-role --role-name ROLE-NAME
Upvotes: 1
Reputation: 269490
Denying access to a particular bucket can be tricky.
For example, Admins might have the ability to modify Roles and Bucket Policies, so they would be able to regain access to the bucket.
A common practice is to put sensitive information in a bucket in a different AWS Account, then provide access to the bucket only to specific users in the 'main' account. This way, the default is that nobody in the main account has access. It also simplifies the design of permissions, since there is no need to apply Deny policies.
An example would be where sensitive HR information is being stored, where only a small number of users should have access to the data.
Upvotes: 2
Related Questions
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- Allow S3 bucket operations based on EC2 role
- how I grant s3 bucket access with this particular role?
- Bucket policy to whitelist a specific IAM role
- AWS S3 bucket restrict accss
- Granting access to S3 resources based on role name
- Restrict access to a S3 bucket to admin users
- Restrict user access to Single S3 Bucket using Amazon IAM?
- AWS IAM Policy: Restrict Bucket/Folder Access By User/Role?
- How do I limit access to S3 Bucket for particular IAM Role?