Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How to deny all access to s3 bucket/folder for a user with s3:fullAccess in IAM role

I have the IAM User with policy containing below statement:

       {
        "Action": [
            "s3:*"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },

I am trying and cannot success to deny access to this user with S3 resource policy.
Here is the S3 policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "BlockRootAndHomeListingOfCompanyBucket",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::my-bucket",
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "",
                    "user/",
                    "user/my_user"
                ],
                "s3:delimiter": "/"
            }
        }
    },
    {
        "Sid": "BlockAllOnSharedFolder",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-bucket",
        "Condition": {
            "StringLike": {
                "s3:prefix": "shared/*"
            }
        }
    }
]

}

All works for 1st statement, where the user cannot list any of the objects listed.
Problem is with 2nd statement for shared folder.
Originally 2nd statement had "Action": "s3:ListBucket" and all worked.
Later I changed the ListBucket to ‘*’ (as is in above code) and waited over 20 minutes to make sure that policy will be activated.

Problem is that policy denies only ListBucket for the my_bucket/shared folder:

$aws s3 ls s3://my-bucket/shared/folder/x1.txt
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/my_user is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my-bucket" with an explicit deny in a resource-based policy

$ aws s3 rm s3://my-bucket/shared/folder/x1.txt
delete: s3://my-bucket/shared/folder/x1.txt

$ aws s3 cp x2.txt s3://my-bucket/shared/folder/
upload: ./x2.txt to s3://my-bucket/shared/folder/x2.txt

cp and rm actions take effect. Objects are added / removed from the S3 folder.

What am I missing in above policy to Deny all actions on my-bucket/shared folder?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I was hoping that expanding Resource from @John Rotenstein proposal can work for folder as it works for the bucket. But below policy the folder denies PutObject, DeleteObject, but allows ListBucket

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "BlockAllOnSharedFolder",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::my-bucket/shared",
            "arn:aws:s3:::my-bucket/shared/",
            "arn:aws:s3:::my-bucket/shared/*"
        ]
    }
]

    }

    I had to add separate statement to block ListBucket.

    Here is the full policy that blocks listing and put/delete on the bucket/folder in my case:

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "BlockObjectActionsOnSharedFolder",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::my-bucket/shared",
            "arn:aws:s3:::my-bucket/shared/",
            "arn:aws:s3:::my-bucket/shared/*"
        ]
    },
    {
        "Sid": "BlockBucketListingOfMyBucket",
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::my-bucket",
        "Condition": {
            "StringLike": {
                "s3:delimiter": "/",
                "s3:prefix": "shared*"
            }
        }
    }
]
}

  2. 0

    Some Amazon S3 operations take place on the bucket, such as ListBucket:

    "Resource": "arn:aws:s3:::my-bucket",

    Some operations take place on the objects, such as DeleteObject and PutObject:

    "Resource": "arn:aws:s3:::my-bucket/*",

    Note the /* in the Resource, which is required when using object-level operations.

    You can combine them together with:

    "Resource": [
    "arn:aws:s3:::my-bucket",
    "arn:aws:s3:::my-bucket/*"
]

    This should make the s3:* actions recognised for both bucket- and object-level operations.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search