Certified Security - Specialty

Sign Up Free or Log In to participate!

Using bucket policies only allow specific users

In the lab it goes into how to make sure only one group has access to the bucket but then ends up showing that the explicit deny overrides it but never goes back to how to do this.  If most users have read, write to s3 buckets via iam but you only want certain users or a group to be able to write to a particular one then how do you do it?  It almost seems like you need to make your explicit deny principal everyone not in a group.  Is that the best practice and what is the syntax for it?

Marty Chong

You can use Deny NotPrincipal for this, however there are some real-life implications for the use of Deny NotPrincipal specifically with S3 buckets (especially for things like federated users).


Thanks Marty! I found this article too: https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/ Strangely it doesn’t prevent users from listing what is in the bucket even when I denied all s3 actions to everyone other than the one user.


Or I should say the way I did didn’t deny other users list objects when I did it like this { "Version": "2012-10-17", "Id": "Policyxxxxxxx", "Statement": [ { "Sid": "Stmtxxxxxxx", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::xxxxxx:user/mys3user" }, "Action": "s3:", "Resource": "arn:aws:s3:::xxxxxxxxsecuritybucket/" } ] }

Marty Chong

you need to use "Resource": "arn:aws:s3:::xxxxxxxxsecuritybucket" for listing objects as that applies to the bucket as a whole where /* refers to objects in the bucket.


Thanks Marty!

1 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?