En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Access point policy is not restricting the access to bucket

0

I have a bucket which restricts access to it only through access policy. I see that it is not working as expected. Here is the bucket policy -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::admin-only-bucket",
                "arn:aws:s3:::admin-only-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:DataAccessPointAccount": "xxxxxxxxxxxx"
                }
            }
        }
    ]
}

The access point has the following policy -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

My intent is to restrict the bucket only to the admin user. When I list the objects in the bucket 'admin-only-accesspoint', it is working fine. aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile admin But I am also able to do list objects with another user 'staff'. aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile staff

Just wondering why the access is not restricted to admin user.

Sujets
StockageSécurité, identité et conformité
Balises
Simple service de stockage AmazonGestion des identités et des accès AWS
Langue
English
ganesh-for-aws
demandé il y a un an523 vues
3 réponses
1

You've answered this yourself but for others reading along, this is explained in a lot of detail in the documentation.

A common thing that has tripped me up in the past is that if the IAM policy for the role I'm using allows access to a S3 bucket; and the S3 bucket policy doesn't include my identity specifically and doesn't deny me access then I'm allowed access - because (as you point out) there isn't an explicit deny. If my IAM policy did not allow me access in the first place then I wouldn't have access because the implicit deny would stop me.

profile pictureAWS
EXPERT
Brettski-AWS
répondu il y a un an
0
Réponse acceptée

I see that it is working as expected if I change the policy as

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

Apparently, the access point policy allows everything by default unless there is a deny.

Better solution is this one -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

The issue was that all the users I was trying had all the permissions for S3. So, I removed the all the S3 permissions for users and allowed them access only through the bucket and access point policy which resolved the issue.

So if the identity has permission to access S3, bucket and access point has no impact unless there is explicit deny

ganesh-for-aws
répondu il y a un an
0

Try using the following policies:

IAM Policy:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"IAMPolicyForS3BucketAccess",
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::my-bucket",
            "arn:aws:s3:::my-bucket/*"
         ]
      }
   ]
}

Bucket Policy:

{
   "Id":"Policy1585661668608",
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyRequestThatDoNotUseTheAccessPointAccount",
         "Effect":"Deny",
         "Principal":{
            "AWS":[
               "arn:aws:iam::111111111111:root"
            ]
         },
         "Action":[
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::admin-only-bucket",
            "arn:aws:s3:::admin-only-bucket/*"
         ],
         "Condition":{
            "StringNotEquals":{
               "s3:DataAccessPointAccount":"111111111111"
            }
         }
      }
   ]
}

Access Point Policy:

{
   "Version":"2008-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::111111111111:user/admin"
         },
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:us-east-1:111111111111:accesspoint/admin-only-accesspoint"
      }
   ]
}
profile pictureAWS
AWS SA Neil
répondu il y a un an
  • ganesh-for-aws
    il y a un an

    It is not clear how this is going to solve the issue.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents