In the example provided in this video, how can we resolve the requirement to have a "deny all" S3 bucket policy, but still have a specific user(s) access to the bucket. Since explicit "deny all" trumps other rules, is their still any way to achieve it? That was not addressed in the video
2 Answers
Use an "explicit deny" with a "NotPrincipal" in bucket policy. The policy will ensure no other user can access the buckets other than the users listed in the "NotPrincipal".
sample policy:
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::examplebucket/*",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/alloweduser"
This policy will allow "alloweduser" to have full access to S3 examplebucket and ensure no other user can access this bucket
With an Explicit Deny you could also use
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"111111111111"
]
}
Slight point of clarification: Actually, the negation listed here (NotPrincipal) won’t explicitly grant "full access", it just punches a hole in the explicit DENY rule around that user (i.e., it simply says "DENY * FOR ALL PRINCIPALS EXCEPT (alloweduser…)". At that point, any other rules/policies apply.
Why I am getting a policy error { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "NotPrincipal": {"AWS": [ "arn:aws:iam::000000000000:user/Ami_Ou", "arn:aws:iam::000000000000:root" ]}, "Action": "s3:", "Resource": [ "arn:aws:s3:::hyhyh/", "arn:aws:s3:::hyhyh/" ] }] }