AWS S3 bucket with limited access

I want to have an S3 bucket that has limited access from users in our account. The contents of the files shouldn't be accessible to all users. We have the admins in a user group. I want to add a policy to a specific bucket that only allows users in that admin group to have access. How would one achieve this?

I have looked at all the examples I can find online & I've read through posts here in re:Post, but I haven't found anything that fits what we're looking to do.

주제

스토리지 보안, 신원 및 규정 준수

태그

아마존 심플 스토리지 서비스 AWS 자격 증명 및 액세스 관리 스토리지 IAM 정책

언어

English

acrookes-fe

질문됨 일 년 전267회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

I would use tags on the principals instead of group membership with a bucket policy like this:

{
  "Id": "Policy1670278952233",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1670278950745",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "admin"
        }
      },
      "Principal": "*"
    }
  ]
}

전문가

kentrad

답변함 일 년 전

acrookes-fe
일 년 전
Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.

Changes:

Having just allow didn't restrict access to people without the correct role tag. Changing this to a "Deny" and the condition to "StringNotEquals" blocks people without the tag.

I was hoping to have this cover both access to the bucket and objects in that bucket. To do that I needed to add a 2nd resource for the items in the bucket.

acrookes-fe

일 년 전

Resulting policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1670282433764",
    "Statement": [
        {
            "Sid": "Stmt1670282432513",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalTag/role": "admin"
                }
            }
        }
    ]
}

acrookes-fe
일 년 전
One question about this approach I have. Since the principle is set to "*" will users in other accounts who have the correct tag be allowed to access the bucket?
kentrad 전문가
일 년 전
That's a good point. Add the ARN to the Principal to limit to users with your account.

AWS S3 bucket with limited access

관련 콘텐츠