By using AWS re:Post, you agree to the Terms of Use

S3 access policy Limit PUT function

0

Hello, How do I restrict a user/role to have PutObject ability only scoped to a specific prefix in an S3 bucket?

I created an S3 bucket and created prefixes under it as:

  • HR
  • Finance
  • SRE and put a few files under each prefix and additionally, I put files in the root directory of the S3 bucket.

I have created roles with same name as each prefixes and one of the IAM role (Finance) policy reads:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap",
                "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointArn": "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap"
                }
            }
        }
    ]
}

On the bucket policy, I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::s3-apt-accesspoint-testusecase",
                "arn:aws:s3:::s3-apt-accesspoint-testusecase/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointAccount": "ACCID"
                }
            }
        }
    ]
}

The AccessPoint policy reads:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::ACCID:role/Finance"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap/object/*"
		}
	]
}

Created an EC2 and attached Finance IAM Role and I was under the assumption, it will only allow PUT function to Finance/ prefix of the bucket. However when I run the below command against any other prefix that *succeeds *as well:

aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key HR/file1.txt --body file1.txt
aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key Finance/file2.txt --body file2.txt
aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key SRE/file3.txt --body file3.txt

I wanted to avoid that and only allow the role Finance to have abilities to put object in Finance/ prefix. How do I achieve that?

2 Answers
0

Recognizing you may have only posted a snippet of the policy, but do you have a blanket 'deny' in your policy as well? That will deny any action not explicitly allowed.

Access Analyzer may help you troubleshoot your policy as well.

answered 6 months ago
  • Hi, these are the complete policies. I don't have any explicit deny rule stated neither on access policy nor bucket policy nor the IAM policy as well.

0

If I'm reading this correctly, you're creating IAM Role policies (no implicit deny), not resource policies (has an implicit deny). If the flow is Adopt IAM Role --> authorize into "Access Point" --> Bucket Policy, then what is happening is that Access point is allowing the folks in via the various role/Finance or role/HR. Would need to evaluate if AccessPoint adopts a specific role (finance only) or if it has all of the Identity Policies attached to it.

If AccessPoint has all of the identity policies attached to it, then I think this may be coming into play: "Identity-based policies are attached to an IAM identity (user, group of users, or role) and grant permissions to IAM entities (users and roles). If only identity-based policies apply to a request, then AWS checks all of those policies for at least one Allow."

Potentially, could also write Attribute Based Access where the role takes on a tag, and then you add that into the bucket policy as to what tags get you where.

For the Policy flow evaluation chart, look > here <

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions