- Newest
- Most votes
- Most comments
Hi!
My understanding is that you want to limit Bob's ability to upload files to an S3 bucket with SSE-KMS encryption, based on the path of the uploaded file. Using bucket keys which is most normal now for cost optimization, the encryption context of the KMS operation will be the bucketname and thus not depend on the key of the S3 object (the pathname).
(I assume that the Deny on Encrypt/Decrypt but Allow on Create/Retire grant permission for the key is something which you can change.).
So, I think it would be better to restrict Bob's upload ability using a condition based on the object resource ARN for operations using PutObjectVersion, and do that on the role which the Java application assumes when invoked by Bob.
To make this more scalable, you could implement a session policy (https://aws.amazon.com/blogs/security/create-fine-grained-session-permissions-using-iam-managed-policies/) with a variable substitution for the username (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse) so there is a boundary on what the application can do with the assumed role which is based on the user invoking the application.
Hope this is relevant for your issue.
With kind regards,
Bent T
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 9 months ago