Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

User to view the buckets but not allowed to create a bucket

0

I am trying to configure my IAM policy which would allow a user to only view the bucket and place objects, delete and update the folder/files within that bucket, but deny bucket creation. I have already added the following to my IAM policy but it is of no use as it will still allow the user to create a bucket. How to achieve this goal?

	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::*"
			]
		},
                {
			"Effect": "Deny",
			"Action": "s3:CreateBucket",
			"Resource": "*"
		},
		{
			"Effect": "Deny",
			"Action": "s3:CreateBucket",
			"NotResource": "arn:aws:s3:::*"
		},
		{
			"Action": [
				"s3:ListBucket",
				"s3:GetBucketLocation"
			],
			"Effect": "Allow",
			"Resource": "arn:aws:s3:::my-bucket"
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::my-bucket/*"
		}
	]
}
Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
Jana21
gefragt vor 2 Monaten233 Aufrufe
2 Antworten
0

To achieve your goal of allowing a user to view and manage objects within a specific S3 bucket, but denying the ability to create new buckets, you can use the following IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Effect": "Deny",
            "Action": "s3:CreateBucket",
            "Resource": "*"
        }
    ]
}

Here's what this policy does:

  1. The first statement allows the user to list the contents of the my-bucket bucket and get the bucket's location.
  2. The second statement allows the user to get objects, put objects, and delete objects within the my-bucket bucket.
  3. The third statement explicitly denies the s3:CreateBucket action on all resources (*), effectively preventing the user from creating new buckets.
profile pictureAWS
Kajonsak
beantwortet vor 2 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 2 Monaten
  • Jana21
    vor 2 Monaten

    I did try this policy, but after logging in as the IAM user, it is still able to create a bucket! will it take time for this policy to take affect? I'm assuming it will be instantly but it doesn't work. What could be the reason and what are other options? Thanks.

0

Hello,

the second deny seems to contradict this by trying to allow the same action on any resource not matching

	{
		"Effect": "Deny",
		"Action": "s3:CreateBucket",
		"NotResource": "arn:aws:s3:::*"
	},
Paul
beantwortet vor 2 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt