AWS S3 bucket with limited access

I want to have an S3 bucket that has limited access from users in our account. The contents of the files shouldn't be accessible to all users. We have the admins in a user group. I want to add a policy to a specific bucket that only allows users in that admin group to have access. How would one achieve this?

I have looked at all the examples I can find online & I've read through posts here in re:Post, but I haven't found anything that fits what we're looking to do.

トピック

ストレージセキュリティ、アイデンティティ、コンプライアンス

タグ

Amazon Simple Storage Service (S3)AWS Identity and Access Management ストレージ IAM ポリシー

言語

English

acrookes-fe

質問済み 1年前268ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

I would use tags on the principals instead of group membership with a bucket policy like this:

{
  "Id": "Policy1670278952233",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1670278950745",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "admin"
        }
      },
      "Principal": "*"
    }
  ]
}

エキスパート

kentrad

回答済み 1年前

acrookes-fe
1年前
Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.

Changes:

Having just allow didn't restrict access to people without the correct role tag. Changing this to a "Deny" and the condition to "StringNotEquals" blocks people without the tag.

I was hoping to have this cover both access to the bucket and objects in that bucket. To do that I needed to add a 2nd resource for the items in the bucket.

acrookes-fe

1年前

Resulting policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1670282433764",
    "Statement": [
        {
            "Sid": "Stmt1670282432513",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalTag/role": "admin"
                }
            }
        }
    ]
}

acrookes-fe
1年前
One question about this approach I have. Since the principle is set to "*" will users in other accounts who have the correct tag be allowed to access the bucket?
kentrad エキスパート
1年前
That's a good point. Add the ARN to the Principal to limit to users with your account.

AWS S3 bucket with limited access

関連するコンテンツ