Question posted in 
I have the IAM User with policy containing below statement:
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*"
},
I am trying and cannot success to deny access to this user with S3 resource policy.
Here is the S3 policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockRootAndHomeListingOfCompanyBucket",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"user/",
"user/my_user"
],
"s3:delimiter": "/"
}
}
},
{
"Sid": "BlockAllOnSharedFolder",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"s3:prefix": "shared/*"
}
}
}
]
}
All works for 1st statement, where the user cannot list any of the objects listed.
Problem is with 2nd statement for shared folder.
Originally 2nd statement had "Action": "s3:ListBucket" and all worked.
Later I changed the ListBucket to ‘*’ (as is in above code) and waited over 20 minutes to make sure that policy will be activated.
Problem is that policy denies only ListBucket for the my_bucket/shared folder:
$aws s3 ls s3://my-bucket/shared/folder/x1.txt
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/my_user is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my-bucket" with an explicit deny in a resource-based policy
$ aws s3 rm s3://my-bucket/shared/folder/x1.txt
delete: s3://my-bucket/shared/folder/x1.txt
$ aws s3 cp x2.txt s3://my-bucket/shared/folder/
upload: ./x2.txt to s3://my-bucket/shared/folder/x2.txt
cp and rm actions take effect. Objects are added / removed from the S3 folder.
What am I missing in above policy to Deny all actions on my-bucket/shared folder?
2
Answers
I was hoping that expanding Resource from @John Rotenstein proposal can work for folder as it works for the bucket. But below policy the folder denies PutObject, DeleteObject, but allows ListBucket
}
I had to add separate statement to block ListBucket.
Here is the full policy that blocks listing and put/delete on the bucket/folder in my case:
Some Amazon S3 operations take place on the bucket, such as
ListBucket:Some operations take place on the objects, such as
DeleteObjectandPutObject:Note the
/*in theResource, which is required when using object-level operations.You can combine them together with:
This should make the
s3:*actions recognised for both bucket- and object-level operations.