Reputation: 1682
Amazon S3 bucket policy for public restrictions only
I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/* publicly readable. But want to prevent access to bucketname/*/hidden/* for any users that are not expressly given access in IAM.
I can do that with a bucket policy like:
{
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Principal": {
"AWS": [ "*" ]
}
},
{
"Sid": "Stmt124",
"Action": [ "s3:GetObject" ],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucketname/*/hidden/*",
"Principal": {
"AWS": [ "*" ]
}
]
}
But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?
Upvotes: 1
Views: 3732
Answers (2)
Reputation: 1682
According to AWS support, this is currently not possible. Any Deny policy overrides a matching (or subset) Allow policy and there is no way to deny anonymous access only.
A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*, but that is not as flexible and must be applied manually.
Upvotes: 3
Reputation: 3310
You don't need to set the policy on the bucket. In fact you can apply this same policy on the IAM user or group depending on what works best in your scenario.
https://console.aws.amazon.com/iam/home?#
- Users
- Select desired user
- Click permissions tab
- Attach user policy
- Custom policy
- Select
- Copy and paste policy
- Apply Policy
Sometimes extra permissions need to be added to the user so they can see the buckets to navigate. If for example they're using cloud berry you will need to give them list access to the main buckets. See for example one of my policies.
{
"Statement": [
{
"Sid": "Stmt1330983243489",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<allowbucket1>",
"arn:aws:s3:::<allowbucket1>/*"
]
},
{
"Sid": "Stmt1330983260440",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1330983357419",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Upvotes: 0
Related Questions
- AWS S3 bucket policy with condition
- aws s3 bucket policy
- S3 bucket access restriction with bucket policy
- S3 Bucket Policy to Allow access to specific users and restrict all
- Restrict S3 sub-folder level bucket policy about private and public
- Condition in a bucket policy to only allow specific service
- allow open access to S3 bucket with certain restrictions
- s3 bucket policy post
- AWS S3: user policy for specifc bucket
- S3 bucket policy: In a Public Bucket, make a sub-folder private