Grant access to Amazon S3 bucket only to one IAM User

1
votes

I wish to have a bucket that only one IAM user could access using the AWS Console, list its content and access object files inside it.

So, I have created the IAM user, the bucket itself, and later:

bucket policy as follow:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "statement1",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::0000000:user/dave"
                },
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::testbucket1234"
            },
            {
                "Sid": "statement2",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::0000000:user/dave"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::testbucket1234/*"
            }
        ]
    }

And also a inline policy attached to my user's group, as follow:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:*Object",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::testbucket1234/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Now: I can list my buckets, access the desired bucket, list its content (so far so good). The problem is when I try to open one file object inside the bucket and I get "access denied" error. If I turn the object public, I can access it, but I can also access it using other IAM accounts, and that is not the intention. I want to access the bucket, list its contents and access objects only by usage of this specific IAM account. What am I doing wrong? How can I reach this goal? Thanks in advance.

1
amazon-web-servicesamazon-s3amazon-ec2
What S3 permissions have been granted to other users? Do they have any policies that grant access to all S3 buckets? - John Rotenstein
Hello @JohnRotenstein, actually I do only have these policies I had described. And public access was disabled. - Mike Tompson

1 Answers

0
votes

By default, no IAM User can access any bucket. It is only by granting permissions to users that they can access resources.

However, many people tend to grant Amazon S3 permissions for all buckets, at least for Administrators. This then makes it difficult to remove permissions so that a bucket can only be accessed by one user. While it can be done with Deny policies, such policies are difficult to craft correctly.

For situations where specific data should only be accessed by one user, or a specific group of users (eg HR staff), I would recommend that you create a separate AWS Account and only grant permission to specific IAM Users or IAM Groups via a Bucket Policy (which works fine cross-account). This way, any generic policies that grant access to "all buckets" will not apply to buckets in this separate account.

Update: Accessing private objects

Expanding on what is mentioned in the comments below, a private object in Amazon S3 can be accessed by an authorized user. However, when accessing the object, it is necessary to identify who is accessing the object and their identity must be proved. This can be done in one of several ways:

  • In the Amazon S3 management console, use the Open command (in the Actions menu). This will open the object using a pre-signed URL that authorizes the access based upon the user who logged into the console. The same method is used for the Download option.
  • Using the AWS Command-Line Interface (CLI), you can download objects. The AWS CLI needs to be pre-configured with your IAM security credentials to prove your identity.
  • Programs using an AWS SDK can access S3 objects using their IAM security credentials. In fact, the AWS CLI is simply a Python program that uses the AWS SDK.
  • If you want to access the object via a URL, an application can generate an Amazon S3 pre-signed URLs. This URL includes the user's identity and a security signature that grants access to a private object for a limited period (eg 5 minutes). This method is commonly used when web applications want to grant access to a private object, such as a document or photo. The S3 management console actually uses this method when a user selects Actions/Open, so that the user can view a private object in their browser.