By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access point policy is not restricting the access to bucket

0

I have a bucket which restricts access to it only through access policy. I see that it is not working as expected. Here is the bucket policy -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::admin-only-bucket",
                "arn:aws:s3:::admin-only-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:DataAccessPointAccount": "xxxxxxxxxxxx"
                }
            }
        }
    ]
}

The access point has the following policy -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

My intent is to restrict the bucket only to the admin user. When I list the objects in the bucket 'admin-only-accesspoint', it is working fine. aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile admin But I am also able to do list objects with another user 'staff'. aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile staff

Just wondering why the access is not restricted to admin user.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
ganesh-for-aws
asked a year ago494 views
3 Answers
1

You've answered this yourself but for others reading along, this is explained in a lot of detail in the documentation.

A common thing that has tripped me up in the past is that if the IAM policy for the role I'm using allows access to a S3 bucket; and the S3 bucket policy doesn't include my identity specifically and doesn't deny me access then I'm allowed access - because (as you point out) there isn't an explicit deny. If my IAM policy did not allow me access in the first place then I wouldn't have access because the implicit deny would stop me.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago
0
Accepted Answer

I see that it is working as expected if I change the policy as

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

Apparently, the access point policy allows everything by default unless there is a deny.

Better solution is this one -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}

The issue was that all the users I was trying had all the permissions for S3. So, I removed the all the S3 permissions for users and allowed them access only through the bucket and access point policy which resolved the issue.

So if the identity has permission to access S3, bucket and access point has no impact unless there is explicit deny

ganesh-for-aws
answered a year ago
0

Try using the following policies:

IAM Policy:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"IAMPolicyForS3BucketAccess",
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::my-bucket",
            "arn:aws:s3:::my-bucket/*"
         ]
      }
   ]
}

Bucket Policy:

{
   "Id":"Policy1585661668608",
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyRequestThatDoNotUseTheAccessPointAccount",
         "Effect":"Deny",
         "Principal":{
            "AWS":[
               "arn:aws:iam::111111111111:root"
            ]
         },
         "Action":[
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::admin-only-bucket",
            "arn:aws:s3:::admin-only-bucket/*"
         ],
         "Condition":{
            "StringNotEquals":{
               "s3:DataAccessPointAccount":"111111111111"
            }
         }
      }
   ]
}

Access Point Policy:

{
   "Version":"2008-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::111111111111:user/admin"
         },
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:us-east-1:111111111111:accesspoint/admin-only-accesspoint"
      }
   ]
}
profile pictureAWS
AWS SA Neil
answered a year ago
  • ganesh-for-aws
    a year ago

    It is not clear how this is going to solve the issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content