I can't figure out how to restrict the s3 upload functionality -- specifically: s3Client.putObject(request);
(using Java SDK v1.11.298)
My setup is identical to the How to Restrict Amazon S3 Bucket Access to a Specific IAM Role blog post
bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::MyExampleBucket",
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"111111111111"
]
}
}
}
]
}
My user is in a group that has AdministratorAccess
which transitively gives him s3:*
permissions.
From what I understand that should be overridden by the bucket's polity that explicitly only allows for users who assume the role to take any action the bucket.
The funny thing is that, read permissions act as expected. If the user doesn't assume the Role associated to AROAEXAMPLEID
they are not able to read the files in the bucket, but they are still allowed to upload.
I need to restrict upload and read to only users who can assume the role.
"Resource":
[ "arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*" ], ...
? – Michael - sqlbot