S3 http access forbidden error


I have SSM document that accessing an S3 bucket using HTTPS. The bucket contains an installer . I can access the installer using below S3 policy, but it is open to public. Is there a way to restrict it to only in my Organization account?

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AllowReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
            "Resource": "arn:aws:s3:::Bucket-Name/*"

I tried to add a condition but I got 403 Forbidden error.

			"Condition": {
			    "StringEquals": {
				    "aws:PrincipalOrgID": ["o-xxxxxxxx"] 

Any suggestions?

asked 3 days ago23 views
1 Answer

Hi, it would be better to create an automation service role for SSM and include access to the S3 bucket in it. You can then get rid of the S3 bucket policy if its only purpose is SSM access

See https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

profile pictureAWS
answered 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions