I created S3 static web – public bucket and by default all the ec2 instance that i have in my account can upload files to the s3 bucket.
My goal is to limit the access to upload files to the bucket just from spesific instance (My bastion instance) .
So I created a role with all s3 permission and attach the role to my bastion instance , than I put this policy in the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::name/*"
},
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::name/*"
}
]
}
But now all the ec2 instance include the bastion instance cant upload files to the s3 bucket..
Im trying to change this arn line:
"NotPrincipal": {
"AWS": "arn:aws:iam::3254545218:role/Ec2AccessToS3"
To user arn and its work .. But I want this is work on the role
I was able to do the operation on a specific user but not on a specific instance (role).
What Im doing wrong?
3
Answers
I just want to update , Im trying to give access to spesific user instead .. this is not working to..
Refer to the "Granting same-account bucket access to a specific role" section of this AWS blog. The gist is as given below.
Each IAM entity (user or role) has a defined
aws:userid
variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’saws:userId
value is defined asUNIQUE-ROLE-ID:ROLE-SESSION-NAME
(for example,AROAEXAMPLEID:userdefinedsessionname
).To get
AROAEXAMPLEID
for the IAM role, do the following:aws iam get-role -–role-name ROLE-NAME
.AROA
.You will be using this in the bucket policy to scope bucket access to only this role.Use this
aws:userId
in the policy,