Simplify multiple AWS S3 Policies

2
votes

Is there a way to somehow simplify the 2 AWS IAM Policy statements given below into one?

I want to allow ListBucket, GetBucketLocation, GetBucketPolicy, GetBucketACL Actions on the bucket, as well as the mainfolder and the subfolders 1,2,3 which are located within the bucket?

I have two statements - one to allow the operations on the bucket and the other to allow operations on the mainfolder and subfolders. Since the actions,Effect and Resource in both statements are the same, is it somehow possible to write a single statement?

Thanks,

John

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket"
    },
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToListFilesInAllFolders",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket",
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "mainfolder",
                    "mainfolder/subfolder1",
                    "mainfolder/subfolder2",
                    "mainfolder/subfolder3"
                ],
                "s3:delimiter": "/"
            }
        }
    }
]
2
amazon-web-servicesamazon-s3amazon-iam

2 Answers

4
votes
You can use a list of resources to combine these in to a single statement, like this

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": ["arn:aws:s3:::bucket",
                    "arn:aws:s3:::bucket/mainfolder",
                    "arn:aws:s3:::bucket/mainfolder/subfolder1",
                    "arn:aws:s3:::bucket/mainfolder/subfolder2",
                    "arn:aws:s3:::bucket/mainfolder/subfolder3"
        ]
    }
]
2
votes

You can condense it down even further with the wildcard statement.

http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]

or if you want them access to everything in the mainfolder

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]

Now note that

The policy is separated into two parts because the ListBucket action requires permissions on the bucket while the other actions require permissions on the objects in the bucket. We used two different Amazon Resource Names (ARNs) to specify bucket-level and object-level permissions. The first Resource element specifies arn:aws:s3:::test for the ListBucket action so that applications can list all objects in the test bucket. The second Resource element specifies arn:aws:s3:::test/* for the GetObject, PutObject, and DeletObject actions so that applications can read, write, and delete any objects in the test bucket.

https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/