Amazon S3 bucket policy deny putObject permissions to all but one user

Question

My goal is to allow one user to put objects into an s3 bucket. I thought of applying a bucket policy. I understand that you can't deny PutObjects to all users, and then override that with an allow to the desired user. I had hoped to use the Condition "ArnNotEquals" to exclude a single user from the deny policy statement:

"Statement": [
    {
        "Sid": "allow only OneUser to put objects",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::myBucket/*",
        "Condition": {
            "ArnNotEquals": {
                "aws:SourceArn": "arn:aws:iam::123456789012:user/OneUser"
            }
        }
    }
]

However, this has the result of denying PutObjects to all users. Am I on the right track? Is there a bucket policy I can craft for this? Or do I need to look elsewhere, like an ACL (Access Control List)?

Check out the answer and comment at stackoverflow.com/questions/9605455/… . It seems he faced a similar problem and his conclusion was to use ACLs since he couldn't get bucket policy to work either. — Scott Willeke

Jeff Walker Code Ranger Jeff Walker Code Ranger · Accepted Answer · 2015-03-17T16:18:59

The way to do this is using the NotPrincipal policy element. It allows you to apply a policy to all principles except a specific list. Your policy would then become:

"Statement": [
    {
        "Sid": "allow only OneUser to put objects",
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": "arn:aws:iam::123456789012:user/OneUser"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::myBucket/*"
    }
]

Amazon S3 bucket policy deny putObject permissions to all but one user

2 Answers