S3 Bucket Policy to allow S3 Access to Current Authenicated user in AWS Console?

0
votes

I have an application where I am using Cognito to authenticate users and giving temporary access to AWS Console but that user is able to see all other buckets, I want that user just should be able to see or access buckets created by him.

Currently, I have given S3FullAccess Policy to Cognito users. Can anyone suggest which policy I should attach?

As per my R&D, I can some policies are there that can restrict particular user or allow particular user but my users will be dynamic, so I cannot hard-code the values and also policies like allowing/restricting access to particular buckets, I want only users who create buckets should be able to access not other users.

This is something which i found

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucket-name",
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "",
                    "home/",
                    "home/${aws:userid}/*"
                ]
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucket-name/home/${aws:userid}",
            "arn:aws:s3:::bucket-name/home/${aws:userid}/*"
        ]
    }
]
      }

But this is listing all buckets and the only accessible bucket is what put in the code above, I want for new user, it should show nothing and as it creates, it should show that only

1
amazon-web-servicesamazon-s3amazon-cognito

1 Answers

1
votes

This is not going to be easy and you will need to create your own policy and enforce some conventions. You have 3 options.

But first, if each user just needs their own S3 space look at S3 Prefix [here]( https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/) Also, you can do this on the S3 resource bucket. I have a template for doing this here in gitlab

Now back to answering your question.

  • Option 1; They will need to set a tag when they create the bucket where an "owner" tag is equal to their identity. I striked this one out because despite being listed in the IAM policy I'm pretty sure it doesn't work with S3.

  • Option 2: The prefix of the bucket name is equal to their identity.

Then you can use the feature of variables and tags in IAM Policy. Read here

Note that coginto users are web federated identities so the variable aws:username is not aviable for you. Use the aws:userid variable and the value will be role id:caller-specified-role-name where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request

  • Option 3: Use IAM Access Policy

I can not find a link to the how to at the moment. But from here is a detailed description.

Q: How do I control what a federated user is allowed to do when signed in to the console? When you request temporary security credentials for your federated user using an AssumeRole API, you can optionally include an access policy with the request. The federated user’s privileges are the intersection of permissions granted by the access policy passed with the request and the access policy attached to the IAM role that was assumed. The access policy passed with the request cannot elevate the privileges associated with the IAM role being assumed. When you request temporary security credentials for your federated user using the GetFederationToken API, you must provide an access control policy with the request. The federated user’s privileges are the intersection of the permissions granted by the access policy passed with the request and the access policy attached to the IAM user that was used to make the request. The access policy passed with the request cannot elevate the privileges associated with the IAM user used to make the request. These federated user permissions apply to both API access and actions taken within the AWS Management Console.

The nice thing about this approach is you programmatically create the access policy.