Condition on SCP policies for S3 buckets - Amazon web services

ManishGarotki
September 30, 2022
235 views
0 votes
2 Answers

Kindly ask you to help with conditions on SCP.
I need to have a policy that will block all actions on all S3 buckets but exclude particular buckets (like with prefix secret-bucket-*)

I didn’t find any solution for bucket names only for the prefix of the object and tried with tags, but it also not working as expected:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Statement1",
        "Effect": "Deny",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "StringNotEquals": {
                "aws:ResourceTag/secret": true
            }
        }
    }
]
}

Tags: amazon-s3 amazon-web-services

Answers

Would that help?

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Deny",
         "NotAction":[
            "s3:ListAllMyBuckets", 
            "s3:GetBucketLocation"  
         ],
         "Resource":[
            "arn:aws:s3:::secret-bucket-*"
         ]
       }
    ]
}

- Paolo
- September 30, 2022 at 11:28 am
- 0 votes
0
Use a policy that only allows the actions on the buckets with a certain prefix in the bucket name:
```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Allow",
         "Action":[
            "s3:*"
         ],
         "Resource":[
            "arn:aws:s3:::secret-bucket-*"
         ]
       }
    ]
}
```
all other resources will be implicitly denied.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Condition on SCP policies for S3 buckets – Amazon web services

Answers