En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

AWS S3 bucket with limited access

0

I want to have an S3 bucket that has limited access from users in our account. The contents of the files shouldn't be accessible to all users. We have the admins in a user group. I want to add a policy to a specific bucket that only allows users in that admin group to have access. How would one achieve this?

I have looked at all the examples I can find online & I've read through posts here in re:Post, but I haven't found anything that fits what we're looking to do.

Sujets
StockageSécurité, identité et conformité
Balises
Simple service de stockage AmazonGestion des identités et des accès AWSStockagePolitiques IAM
Langue
English
acrookes-fe
demandé il y a un an267 vues
1 réponse
0

I would use tags on the principals instead of group membership with a bucket policy like this:

{
  "Id": "Policy1670278952233",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1670278950745",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "admin"
        }
      },
      "Principal": "*"
    }
  ]
}
profile pictureAWS
EXPERT
kentrad
répondu il y a un an
  • acrookes-fe
    il y a un an

    Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.

    Changes:

    • Having just allow didn't restrict access to people without the correct role tag. Changing this to a "Deny" and the condition to "StringNotEquals" blocks people without the tag.
    • I was hoping to have this cover both access to the bucket and objects in that bucket. To do that I needed to add a 2nd resource for the items in the bucket.
  • acrookes-fe
    il y a un an

    Resulting policy:

    {
    "Version": "2012-10-17",
    "Id": "Policy1670282433764",
    "Statement": [
        {
            "Sid": "Stmt1670282432513",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalTag/role": "admin"
                }
            }
        }
    ]
}
  • acrookes-fe
    il y a un an

    One question about this approach I have. Since the principle is set to "*" will users in other accounts who have the correct tag be allowed to access the bucket?

  • kentrad EXPERT
    il y a un an

    That's a good point. Add the ARN to the Principal to limit to users with your account.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents