S3 access policy Limit PUT function

Question

Hello, How do I restrict a user/role to have PutObject ability only scoped to a specific prefix in an S3 bucket?

I created an S3 bucket and created prefixes under it as:

HR
Finance
SRE and put a few files under each prefix and additionally, I put files in the root directory of the S3 bucket.

I have created roles with same name as each prefixes and one of the IAM role (Finance) policy reads:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap",
                "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointArn": "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap"
                }
            }
        }
    ]
}

On the bucket policy, I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::s3-apt-accesspoint-testusecase",
                "arn:aws:s3:::s3-apt-accesspoint-testusecase/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointAccount": "ACCID"
                }
            }
        }
    ]
}

The AccessPoint policy reads:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::ACCID:role/Finance"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:us-east-1:ACCID:accesspoint/fin-s3ap/object/*"
		}
	]
}

Created an EC2 and attached Finance IAM Role and I was under the assumption, it will only allow PUT function to Finance/ prefix of the bucket. However when I run the below command against any other prefix that *succeeds *as well:

aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key HR/file1.txt --body file1.txt
aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key Finance/file2.txt --body file2.txt
aws s3api put-object --bucket <<Finance Access Point S3 Alias>> --key SRE/file3.txt --body file3.txt

I wanted to avoid that and only allow the role Finance to have abilities to put object in Finance/ prefix. How do I achieve that?

Answer

Recognizing you may have only posted a snippet of the policy, but do you have a blanket 'deny' in your policy as well?  That will deny any action not explicitly allowed.

[Access Analyzer](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html) may help you troubleshoot your policy as well.

Answer

If I'm reading this correctly, you're creating IAM Role policies (no implicit deny), not resource policies (has an implicit deny).  If the flow is Adopt IAM Role --> authorize into "Access Point"  --> Bucket Policy, then what is happening is that Access point is allowing the folks in via the various role/Finance or role/HR.  Would need to evaluate if AccessPoint adopts a specific role (finance only) or if it has all of the Identity Policies attached to it.

If AccessPoint has all of the identity policies attached to it, then I think this may be coming into play:  "Identity-based policies are attached to an IAM identity (user, group of users, or role) and grant permissions to IAM entities (users and roles). If only identity-based policies apply to a request, then AWS checks all of those policies for at least one Allow."

Potentially, could also write Attribute Based Access where the role takes on a tag, and then you add that into the bucket policy as to what tags get you where.

For the Policy flow evaluation chart, look > [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) <

S3 access policy Limit PUT function

Relevant content