0
votes

I can't figure out how to restrict the s3 upload functionality -- specifically: s3Client.putObject(request); (using Java SDK v1.11.298)

My setup is identical to the How to Restrict Amazon S3 Bucket Access to a Specific IAM Role blog post

bucket policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::MyExampleBucket",
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "111111111111"
          ]
        }
      }
    }
  ]
}

My user is in a group that has AdministratorAccess which transitively gives him s3:* permissions.

From what I understand that should be overridden by the bucket's polity that explicitly only allows for users who assume the role to take any action the bucket.

The funny thing is that, read permissions act as expected. If the user doesn't assume the Role associated to AROAEXAMPLEID they are not able to read the files in the bucket, but they are still allowed to upload.

I need to restrict upload and read to only users who can assume the role.

1
Is this a case where you need "Resource": [ "arn:aws:s3:::MyExampleBucket", "arn:aws:s3:::MyExampleBucket/*" ], ...?Michael - sqlbot
Good catch! Thanks! - Please type that in as an answer so I can give you credit!sdc

1 Answers

1
votes

S3 policies (bucket or IAM) can be difficult because it isn't always clear whether the action expects to be applied to the bucket itself as "Resource": "arn:aws:s3:::MyExampleBucket" or the objects as "Resource": "arn:aws:s3:::MyExampleBucket/*".

In the case of the s3:PutObject action, it's the path, while the policy shown only impacts the bucket. For the s3:* action, you want both.

"Resource": [ 
    "arn:aws:s3:::MyExampleBucket",
    "arn:aws:s3:::MyExampleBucket/*"
], ...

The Resource key in policies accepts either a string or an array of strings.