- 최신
- 최다 투표
- 가장 많은 댓글
You've answered this yourself but for others reading along, this is explained in a lot of detail in the documentation.
A common thing that has tripped me up in the past is that if the IAM policy for the role I'm using allows access to a S3 bucket; and the S3 bucket policy doesn't include my identity specifically and doesn't deny me access then I'm allowed access - because (as you point out) there isn't an explicit deny. If my IAM policy did not allow me access in the first place then I wouldn't have access because the implicit deny would stop me.
I see that it is working as expected if I change the policy as
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
}
]
}
Apparently, the access point policy allows everything by default unless there is a deny.
Better solution is this one -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
}
]
}
The issue was that all the users I was trying had all the permissions for S3. So, I removed the all the S3 permissions for users and allowed them access only through the bucket and access point policy which resolved the issue.
So if the identity has permission to access S3, bucket and access point has no impact unless there is explicit deny
Try using the following policies:
IAM Policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"IAMPolicyForS3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Bucket Policy:
{
"Id":"Policy1585661668608",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyRequestThatDoNotUseTheAccessPointAccount",
"Effect":"Deny",
"Principal":{
"AWS":[
"arn:aws:iam::111111111111:root"
]
},
"Action":[
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::admin-only-bucket",
"arn:aws:s3:::admin-only-bucket/*"
],
"Condition":{
"StringNotEquals":{
"s3:DataAccessPointAccount":"111111111111"
}
}
}
]
}
Access Point Policy:
{
"Version":"2008-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::111111111111:user/admin"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:us-east-1:111111111111:accesspoint/admin-only-accesspoint"
}
]
}
It is not clear how this is going to solve the issue.