dan
In the lab it goes into how to make sure only one group has access to the bucket but then ends up showing that the explicit deny overrides it but never goes back to how to do this. If most users have read, write to s3 buckets via iam but you only want certain users or a group to be able to write to a particular one then how do you do it? It almost seems like you need to make your explicit deny principal everyone not in a group. Is that the best practice and what is the syntax for it?
1 Answers
Faye Ellis
Yes, use Deny NotPrincipal! https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
You can use Deny NotPrincipal for this, however there are some real-life implications for the use of Deny NotPrincipal specifically with S3 buckets (especially for things like federated users).
Thanks Marty! I found this article too: https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/ Strangely it doesn’t prevent users from listing what is in the bucket even when I denied all s3 actions to everyone other than the one user.
Or I should say the way I did didn’t deny other users list objects when I did it like this { "Version": "2012-10-17", "Id": "Policyxxxxxxx", "Statement": [ { "Sid": "Stmtxxxxxxx", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::xxxxxx:user/mys3user" }, "Action": "s3:", "Resource": "arn:aws:s3:::xxxxxxxxsecuritybucket/" } ] }
you need to use "Resource": "arn:aws:s3:::xxxxxxxxsecuritybucket" for listing objects as that applies to the bucket as a whole where /* refers to objects in the bucket.
Thanks Marty!