Farhad-Taran
Reputation: 6512
Terraform AWS S3 - deny to all except specific user
I have a bucket which I need to restrict to a specific user, I have written the following script but it still seems to allow all users to operate on the bucket.
resource "aws_s3_bucket" "vulnerability-scans" {
bucket = "vulnerability-scans"
}
resource "aws_s3_bucket_policy" "vulnerability-scans" {
bucket = aws_s3_bucket.vulnerability-scans.id
policy = data.aws_iam_policy_document.vulnerability-scans.json
}
data "aws_iam_policy_document" "vulnerability-scans" {
statement {
principals {
type = "AWS"
identifiers = [
aws_iam_user.circleci.arn,
]
}
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.vulnerability-scans.arn,
"${aws_s3_bucket.vulnerability-scans.arn}/*",
]
}
}
Upvotes: 3
Views: 1577
Answers (1)
Marko E
Reputation: 18158
I think you have to take into account that other users may have Allow in their policies, so the approach here should be to deny access to any users not being the user you want it to be. There is a detailed explanation in the AWS docs [1], but for the sake of brevity, I think the terraform code should look like the following:
data "aws_iam_policy_document" "vulnerability-scans" {
statement {
sid = "AllExceptUser"
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.vulnerability-scans.arn,
"${aws_s3_bucket.vulnerability-scans.arn}/*",
]
condition {
test = "StringNotLike"
variable = "aws:userId"
values = [
aws_iam_user.circleci.arn
]
}
}
}
Even though the reference URL says it is for an IAM role, the same applies for a user. The StringNotLike condition operator has more detailed explanation in [2].
Upvotes: 7
Related Questions
- How to disable s3 bucket ACL using Terraform scripts?
- AWS S3 deny all access except for 1 user - bucket policy
- How to add public permissions for S3 bucket via terraform
- Accessing S3 bucket from a dedicated user ( policy failure ? )
- AWS S3 deny access to objects based on user name
- S3 Bucket Policy to Allow access to specific users and restrict all
- Terraform how to restrict s3 objects from being public
- Deny AWS S3 bucket access for 2 users
- Restrict user access to Single S3 Bucket using Amazon IAM?
- Restrict access to S3 based on EC2 Instance and User