Reputation: 31550
Grant users access to all external buckets but exclude our own account buckets
I want to give IAM users access to ALL external buckets- buckets not in our own account.
For example, publicly accessible buckets or buckets someone gives our AWS account access to. If the IAM user in our account does not have access to an external bucket (via IAM policy) they can't access it.
I can't grant them access to ALL buckets though because that will include our own buckets - which we don't want some users to access, or only give access with specific permissions.
Essentially I want a condition that says:
IF NOT <MY AWS ACCOUNT>
grant s3:*
ELSE
don't modify existing S3 permissions
I want to have a policy I can just apply to users or roles that allow access to all external buckets.
Edit
Looks like you can use aws:ResourceAccount?
Upvotes: 0
Views: 292
Answers (2)
Reputation: 534
As you alluded to in the edit, you can use the below policy to allow an IAM role access to S3 resources in accounts other than your own.
You may use this if you expect other accounts to use resource based permissions to allow your role access to their s3 resources, but you don't want to give your role access to all of s3 in your own account.
Note: replace
111111111111with your account id
{
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": "s3:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "111111111111"
}
},
"Effect": "Deny",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
Upvotes: 0
Reputation: 8887
You can add a condition to the policy: IAM JSON Policy Elements: Condition Operators - AWS Identity and Access Management
Edit:
Based on the conversation and further research, this won't work for IAM users. You might be able to add a DENY policy to each of your buckets based on the aws:PrincipalTag and tag any user that you don't want to have access.
Upvotes: -1
Related Questions
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- S3 Bucket Policy to Allow access to specific users and restrict all
- How to deny s3 bucket access for an AWS account
- Allow S3 bucket top-level listing to specific users only
- AWS S3 bucket restrict accss
- Restrict AWS S3 bucket access, even from account owner
- Restrict user access to Single S3 Bucket using Amazon IAM?
- How do I limit access to S3 Bucket for particular IAM Role?
- How to set up S3 Policies for multiple IAM users such that each individual only has access to their personal bucket folder?
- How do I restrict an IAM user to just 1 bucket?