I have a bucket that can be specifically accessed by a user with a particular policy attached to it. Admin users, for example, with managed policies such as AdministratorAccess can of course access all resources and I would like to avoid that. Is the recommended approach that of locking down access via roles?
Thank you
Amazon S3 buckets are private by default.
If you do not wish to grant certain users access to the bucket, then simply do not grant them access.
If you are granting wildcard access to some users (eg Admins), you can add a Bucket Policy with Deny actions that prohibits access to the bucket for all but selected users (via a NotCondition). A Deny will always override an Allow.
However, you will need to code the policies carefully, since Admin users might have permission to modify such policies.
In situations where there is very sensitive information (eg HR data), some companies create a separate AWS Account where only specific users have access and Admin users do not have access. This takes more work, but is likely necessary for sensitive data.
