I asked this question on SO a few days ago, but it seems like nobody knows the answer. (https://stackoverflow.com/questions/53884456/bucket-policy-for-only-the-root-user)
I have a bucket and I wanted to only allow the root user (so neither IAM users nor roles can access it, only the root). I ended up with this policy which seems to work:
{
"Version": "2012-10-17",
"Id": "Policy1544958708832",
"Statement": [
{
"Sid": "Stmt1544958705029",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::<accountid>:root"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::<bucket>/*"
}
]
}I verified that I can not access the objects in the bucket with an Administrator user, but I can access them when signed in with the root user.
But I don’t see why it works. I thought that the :root is the whole account and not just the root user (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html), so that it should allow other users to access the objects. But I see it’s not.
Why is that?
2 Answers
Remember that with S3, access is based on a combination of the bucket policy as well as the IAM policy associated with the user. The Root user will have access to run any S3 API calls, whereas an ordinary user has no permissions by default, until you go in and add them.
but it is the Administrator user that is trying to access S3 and as Tamas mentioned the arn covers all users in the account – But why still the user with Administrator access does not see S3 bucket?
@Tamas, did you find out the answer? I still dont understand why the Administrator even with all rights cannot access the S3 bucket in this case. The Deny NotPrincipal seems to include only the Account root but not its IAM users (even if IAM users have access like Administrator in this case). On the contrary, Allow Principal includes both the Account root and its IAM users (that has access via IAM policy).
Tamas, the "root" is a special type of user that owns the top level account identified by the unique aws account id. This is also similar to root login on unix systems that is native. The policy you wrote above is the correct way to accomplish exclusive access to s3 bucket – through an inline policy that explicitly locks it down to a specific user (=in this case the root)
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html