I have tried to deny overall access, and then give specific access to a provided user which happens to be the application. I am executing PUT and GET requests using the AWS service API.
I have tried the following, but since I have a deny GET on all users, it will not let the allowed user do a GET request even though it is stated in the policy.
Ideally I would like to allow access to a specific group. I tried using the following , but the bucket policy wouldn't save stating 'Invalid principal in policy - ' arn:aws:iam::222222222222:group/Admin
I would also rather server private content over cloudfront and make the s3 buckets private. Option #2 http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
Is there a better way to this where I deny all access to everyone except specified users?
{
"Sid": "force deny access to private folder",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/apptest/*"
},
{
"Sid": "allow s3 uplaod and conversion using aws-sdk",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/user_name"
},
"Action": [
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:RestoreObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:PutObject",
"s3:GetObjectVersionAcl"
],
"Resource": "arn:aws:s3:::bucket/apptest/*"}
