Question 281745 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How do I combine these two AWS-IAM policies to allow certain actions to only certain directories?

The premise is this; I want groups that give permissions to Actions, and groups that permissions to AWS resources. By adding users to multiple groups, I should be able to control permissions to resources per user. However, when implementing the policies below, access to S3 buckets are not properly restricted;

 {
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:AbortMultipartUpload",
            "s3:ListMultipartUploadParts",
            "s3:ListBucketMultipartUploads"
        ],
        "Resource": [
            "arn:aws:s3:::*/*"
        ],
        "Effect": "Allow"
    }
]
}


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::path/to/my/bucket/directory",
                "arn:aws:s3:::path/to/my/bucket/directory/*"
            ],
            "Effect": "Allow"
        }
    ]
}
Tags:

2

Answers


  1. 0

    When a user is in multiple groups, all groups’ statements (both Allow and Deny) are merged. As always, in the resulting policy Deny statements take precedence over Allow.

    In your case, the resulting policy would allow:

    1. The five actions on all S3 resources, AND
    2. Any action on path/to/my/bucket/directory and its children.

    In other words, combining Allow-only policies can only result in a more permissive policy, not less.

    You could try some dirty hacks denying NotAction’s on NotResource’s, but it’s impossible to override deny statements should you later want to allow the users something else.

    Login or Signup to reply.
  2. 0

    As previously noted, you cannot accomplish this using IAM Groups and identity-based permission policies. However, there are other ways to accomplish something similar.

    For instance, if you can set up your application so that the first permission statement is in an identity-based permission policy (i.e., attached directly to the User or Role or indirectly through a Group) and that the second is in a privilege boundary or session policy, then you’d have what you want: privilege boundaries and session policies cannot grant permissions but if one is in place, then any action attempted must be allowed by both the caller’s identity-based permission policies and any applicable privilege boundaries and session policies. (Note that there are some special cases involving resource-based permission policies where privilege boundaries and session policies don’t apply.)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search