Certified Security - Specialty

Sign Up Free or Log In to participate!

Bucket policy that only allows the root user

I asked this question on SO a few days ago, but it seems like nobody knows the answer. (https://stackoverflow.com/questions/53884456/bucket-policy-for-only-the-root-user)

I have a bucket and I wanted to only allow the root user (so neither IAM users nor roles can access it, only the root). I ended up with this policy which seems to work:

  "Version": "2012-10-17",
  "Id": "Policy1544958708832",
  "Statement": [
      "Sid": "Stmt1544958705029",
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::<accountid>:root"
      "Action": [
      "Resource": "arn:aws:s3:::<bucket>/*"

I verified that I can not access the objects in the bucket with an Administrator user, but I can access them when signed in with the root user.

But I don’t see why it works. I thought that the :root is the whole account and not just the root user (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html), so that it should allow other users to access the objects. But I see it’s not.

Why is that?


Tamas, the "root" is a special type of user that owns the top level account identified by the unique aws account id. This is also similar to root login on unix systems that is native. The policy you wrote above is the correct way to accomplish exclusive access to s3 bucket – through an inline policy that explicitly locks it down to a specific user (=in this case the root)


When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

2 Answers

Remember that with S3, access is based on a combination of the bucket policy as well as the IAM policy associated with the user. The Root user will have access to run any S3 API calls, whereas an ordinary user has no permissions by default, until you go in and add them.

Abi Pk

but it is the Administrator user that is trying to access S3 and as Tamas mentioned the arn covers all users in the account – But why still the user with Administrator access does not see S3 bucket?

@Tamas, did you find out the answer? I still dont understand why the Administrator even with all rights cannot access the S3 bucket in this case. The Deny NotPrincipal seems to include only the Account root but not its IAM users (even if IAM users have access like Administrator in this case). On the contrary, Allow Principal includes both the Account root and its IAM users (that has access via IAM policy).

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?