AWS S3 deny all access except for 1 user - bucket policy

2
votes

I have set up a bucket in AWS S3. I granted access to the bucket for my IAM user with an ALLOW policy (Using the Bucket Policy Editor). I was able to save files to the bucket with the user. I have been working with the bucket for media serving before, so it seems the default action is to give public permission to view the files (images), which is fine for most web sites.

In my new project I want to be able to access the S3 bucket with an IAM user but want to deny all other access. No public read access, no access whatsoever besides the IAM user who should have full access save/delete whatever.

What seems like I should do, I was reading about here. It says to create a Deny policy using the NotPrincipal attribute, and that way it will still allow that user, but deny everyone else. For good measure I also added an Allow policy just for the user I want:

{
    "Version": "2012-10-17",
    "Id": "Policy**********",
    "Statement": [
        {
            "Sid": "Stmt**********",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::*********:user/my_user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_bucket/*"
        },
        {
            "Sid": "Stmt*************",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::**********:user/my_user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my_bucket/*"
        }
    ]
}

But this is denying access to everyone even my_user. Again I can confirm that I had access when I just used the Allow portion of the policy above, but then the public also has read access, which I am trying to turn off.

How can I set up my bucket policy to give full access to only the unique IAM user and deny all access to any other user?

Thanks.

2
securityamazon-s3bucket
How, specifically, is "my_user" accessing the bucket?Michael - sqlbot

2 Answers

5
votes

It's quite simple:

  • By default, buckets have no public access
  • Do NOT add a Bucket Policy, since you do not want to grant access public access
  • Instead, add a policy to the IAM User granting them access

The main thing to realise is that the IAM User cannot access content via unauthenticated URLS (eg s3.amazonaws.com/bucket/file.jpg) because S3 doesn't know who they are. When the IAM User accesses the content, they will need to use authenticated access so that S3 knows who they are, such as:

The policy on the IAM User would look something like:

{
  "Effect": "Allow",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::my_bucket",
    "arn:aws:s3:::my_bucket/*"
  ]
}
0
votes

If I understand correctly, allow access to buket only for 1 IAM user. We can use the bucket policy. I got this in netApp documnetation.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::examplebucket",
        "arn:aws:s3:::examplebucket/*"
      ]
    },
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::95390887230002558202:federated-user/Bob"
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::examplebucket",
        "arn:aws:s3:::examplebucket/*"
      ]
    }
  ]
}