By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?

0

Hi,

I use a permision set on IAM Identity Center to allow access with ReadOnly permission on several accounts. I attached the AWS managed policy "ReadOnlyAccess" on this Permission set. For one of these accounts, I want to allow s3:putobject by adding an Inline policy on this Permission set, but I don't know what is the right syntax to do that. How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?

Thx

Best regards

Benoit

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Benoit L
asked a year ago373 views
2 Answers
0
Accepted Answer

You could add a condition that compares the Bucket account with the Principle's account. Something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1677693648738",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    }
  ]
}
profile pictureAWS
EXPERT
kentrad
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
0

Hi

I replace ${aws:PrincipalAccount} with my accound ID and it's work like I need !

Thx

Best regards

Benoit

Benoit L
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content