- Newest
- Most votes
- Most comments
Good day.
To limit access to specific IAM principals, here is our public guide: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
To limit access to specific IP addresses, here is out public guide: https://aws.amazon.com/premiumsupport/knowledge-center/block-s3-traffic-vpc-ip/
I'm hoping this is able to help you.
Truly,
Jason H.
See this page for recommended access controls: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-best-practices.html
In short, disable ACLs on the bucket and govern access via IAM. More details on how to do this here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
Hi Guys,
Sorry for the slow response and thanks for the responses I did receive.
This is kind of what i want to do but the policy gives out about the principal.
I want access to be allowed for a particular group AND only from a particular IP4 block.
{ "Id": "Policy1639567223578", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt16395456545451", "Action": "s3:", "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/" ], "Principal": { "AWS": [ "arn:aws:iam::awsaccount:group/backup_admins" ] } }, { "Sid": "Stmt1631234560507", "Action": "s3:", "Effect": "Deny", "Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/" ], "Condition": { "NotIpAddress": { "aws:SourceIp": "ip4subnet" } }, "Principal": "*" } ] }
This policy was built using the policy generator, when i add it to the bucket, I get this error:
Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element.
Cheers
You cannot specify an AWS User Group
as a principal in an IAM policy:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
You could specify one or more User ARNs. Or, if you want to keep using a Group you can grant access to the bucket from a policy associated with the Group itself:
IAM Group Policy (this can be an inline policy or a managed policy attached to the Group):
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:ListBucket",
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:Abort*",
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
}]
}
Note: the above is not tested and be sure to limit the actions to least privileged.
And keep the Bucket Policy to restrict access from a specific IP (note: this will break access to the bucket from the AWS Console):
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "x.x.x.x"
}
},
"Principal": "*"
}]
}
Relevant content
- Accepted Answerasked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago