By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

S3 public access to specific iam users or groups via the browser

0

Hello Guys, I am new to AWS and i am trying to figure out if it is possible to make a S3 bucket public and additionally to restrict it to specific iam users or groups to be able to access objects via browser from their PCs. All anonymous users who don't have iam account must not have access. In short something like public access only for authorized iam users. Thank you in advance.

  • Rafael Koike
    8 months ago

    Hey Borislav. If you want to restrict the bucket to only a specific set of users. It will not be public anymore. The concept of public means that anyone not authenticated will be able to access the bucket and objects. When you intend to restrict it to IAM users, it will not be public anymore.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
Borislav Ignatov
asked 8 months ago170 views
4 Answers
0
Accepted Answer

Hello guys, I achieved access to particular s3 object via browser with presigned urls. In my case this was the only possible and less operational solution.

To summarize - the default object url provides access to the object only if the bucket is public otherwise it does not work for private buckets and can't be related to any bucket or identity policies.

Borislav Ignatov
answered 8 months ago
0

A few idea, but first,a definition. A bucket is private when as you stated:

All anonymous users who don't have iam account must not have access. . ... n short something like public access only for authorized iam users.

As such, mark your bucket private. I believe you want the bucket to be available to your authorized users . If so, that can be accomplished.

Please think about your ideal connection strategy. Please clarify how you want your users to identify themselves with AWS?

Your users are already part of a Single Signal Domain

Connect your users to AWS Identity Center that is federated to their SSO domain. Then use Attribute Based Attribute Control (ABAC) to limit their role access. ABAC is documented on the internet and AWS.

Your users are NOT part of a Single Signal Domain and you don't want to go down a SSO path

Create a Policy that gives the subset of your buckets to the appropriate users within your full list of users. At a minimum, the log file bucket would only be visible to you.

Can you clarify how you want to move forward?

Allen S
answered 8 months ago
0

Hello, I found that this "Object Url" which is used to access an object when the bucket is public is not subject of any authorization and authentication. It is used only if the bucket is public and that`s it, so neither of identity or resources policies could influence it. Could someone confirm that to be 100% sure ?

The policies can grant you access to the bucket and objects inside it, but only inside of the aws console, cli and etc...

Thank you in advance.

Borislav Ignatov
answered 8 months ago
0

For better access management, you can check NirvaShare https://aws.amazon.com/marketplace/pp/prodview-hcqszucfxsvye

Nanda
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content