AWS S3 Bucket Policy with NotPrincipal denying access

0
votes

I have configured my S3 bucket with Bucket Policy that looks like this

{
    "Version": "2012-10-17",
    "Id": "Policy100000000000",
    "Statement": [
        {
            "Sid": "Stmt1463490591045",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "Stmt1463490591012",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucketname"
        },
        {
            "Sid": "Stmt1463490660089",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }
    ]
}

The goal is to allow access to xml files in the bucket root to the selected users only. The rule doesn't seem to be working, since I get access denied

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DE3DB1FF18B53997</RequestId><HostId>Iy+RnfkFKygJWkSTI0dXjssFsGFP2MydZZi/R5KBw5M8mZnfClt6HMOKJvAwy7sJgSx9BJQ3DbN=</HostId></Error>

I've tried fetching the xml files with AWS Node.js and Python SDKs and with aws-cli. I keep getting the same access denied message.

The AWS documentation regarding Bucket Policies is quite scattered around and has not provided me with a solution to the problem. There's very little documentation at all about using notPrincipal in the policy.

The ListBucket permission works all right, which means that the problem is specific to the rule, not the aim users.

2
amazon-web-servicesamazon-s3
I would guess that user1 is blocked because it is not user2 and user2 is blocked because it is not user1. Not sure how to resolveVorsprung
This doesn't seem to be the case. I tried removing one of the users from the permissions but couldn't get access with the other one. This AWS security blog post also has an example listing multiple users in a notPrincipal rule.juusaw
Change this ""Resource": "arn:aws:s3:::bucketname/*.xml"" to "Resource": "arn:aws:s3:::bucketname/*" and then tryerror2007s

2 Answers

0
votes

Your last deny policy simply doesn't talk about what should happen (allow or deny) to the requests with principal user1 or user2. When you send an s3 request as user1 or user2, the bucket policy won't have any effect (since it doesn't have any rule matching the principal user1 or user2 w.r.t the given action and the given resource).

The goal is to allow access to xml files in the bucket root to the selected users only

In this situation, you can mention a rule for explicitly allowing those users the access to your xml files.

{
            "Sid": "Stmt1463490660089",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }
0
votes

The goal is to allow access to xml files in the bucket root to the selected users only

As per current documentation, s3 do not support file listing resource per postfix/filetype. It only support with prefix, so you would need to put a star without .xml at the end (which allow to access all objects at the folder layer), then you could implement logic to your app if you would allow to access the file or not.

For the bucket policy, by default, s3 policy would allow access as long as the IAM policy have the permission to do so. So the first 2 statement might not be necessary in the statements. For the last statement, this might work but need an additional assumed-role ARN which will vary depending on what is defined for the role session name.

It is recommended to not use the NotPrincipal, and instead use the Condition key at the statement. And put the roleId at the StringNotLike statement to ignore the deny statement for that particular roleId. Also include the account number at the roleId. Example as follows.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "111111111111"
          ]
        }
      }
    }
  ]
}

Check out on this AWS blog for more info: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/