I’m trying to explicitly deny everyone for a particular bucket (test-suvro-02132017) except root user and a particular user(choudhurys3access). So, I followed this amazon doc: https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principle-elements-s3/ and following is my s3 bucket policy. Note: user "choudhurys3access" has AWS managed policy s3fullaccess. My expectation is, except this user and my root, everyone would be denied any s3 activity on this bucket. However, looks like even this user (choudhurys3access) can’t get/put any object in this bucket. Thoughts?
Pls note the unique id of this user first:
{
"User": {
"UserName": "choudhurys3access",
"PasswordLastUsed": "2018-02-24T13:18:57Z",
"CreateDate": "2018-02-24T04:03:03Z",
"UserId": "AIDAIDGDHUPLOP2PSST3O",
"Path": "/",
"Arn": "arn:aws:iam::146507502578:user/choudhurys3access"
}
}
=================
{
"Version": "2012-10-17",
"Id": "Policy1519481648930",
"Statement": [
{
"Sid": "Stmt1519481362889",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-suvro-02132017",
"arn:aws:s3:::test-suvro-02132017/*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"AIDAIDGDHUPLOP2PSST3O:*",
"146507502578"
]
}
}
},
{
"Sid": "Stmt1519481635826",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-suvro-02132017",
"arn:aws:s3:::test-suvro-02132017/*"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"AIDAIDGDHUPLOP2PSST3O:*",
"146507502578"
]
}
}
}
]
}
2 Answers
I did a similar experiment creating a DENY All S3 bucket policy and I had an Admin IAM user (not root) create DenyALL policy for the S3 bucket that Ryan showed on his video.
But I added under PERMISSIONS tab the Admin user Canonical name to "Access for Other AWS Accounts" Checking List Objects/ Write Objects, Read bucket policies and Write Bucket policies.
After the Deny All bucket policy was applied I had very limited view of the bucket getting Access Denied in ALL bucket screens.
I could not even see the bucket contents even though I selected under ACCESS FOR OTHER AWS ACCOUNTS to show the Admin User List, Read, Write object permissions . I also did not have DELETE option enable and I could not see the Bucket Policy anymore only Access Denied.
I logged as the ROOT account and when I went to the same S3 bucket, I had most Access Denied msgs, and I could not see the files in the bucket but I could SEE the BUCKET Policy "Denying ALL policy" and I was able to create an ALLOW ALL S3 Bucket Policy and Copy and Paste it on TOP of the DENY ALL policy and SAVE it and everything showed up.
Conclusion:
So the EXPLICIT DENY ALL still seems to OVERULE everything, even with setting up the EXPLICIT ALLOW "Access to other AWS accounts" the IAM User Admin acct were overwritten by DENY ALL.Even most of the ROOT Account capabilities on S3 but he was allowed to change the bucket Policy to ALLOW ALL…. Interesting that AWS allows ROOT user to have some limited capabilities to "fix" some policies.
I’m not 100% sure but to me the ":" in "AIDAIDGDHUPLOP2PSST3O:*" shouldn’t be there. This would make the StringNotLike in the DENY always be true except for the root user.
I would think just applying the DENY clause should work. You should NOT need the ALLOW clause.