Access management for S3 objects in a manner similar to Linux file-based permissions

0

I am seeking to implement access management for S3 objects in a manner similar to Linux file-based permissions.

My setup involves synchronizing Linux file-based permissions with S3, where folders are represented as S3 objects. Additionally, IAM roles are synchronized with Active Directory (AD) groups, so users are assigned roles based on their group memberships. I require a dynamic solution to manage access to a potentially large number of folders with different AD groups attached.

For instance, if folder1 has group1 attached and folder2 (a child of folder1) has group2, then only users in both group1 and group2 can access folder2.

Similarly, I aim to permit access to S3 child objects (e.g., folder2) only if the user can assume both roles (role1 and role2).

My objective is to grant access to child objects based on my memberships in multiple AD groups (roles), mirroring the functionality of Linux file permissions with groups.

In summary, I am seeking a dynamic access management solution for S3 objects that takes into account my group memberships (roles) and grants access to child objects based on the combination of roles I belong to.

Additionally, I am curious if this objective can be achieved using AWS DataZone or any other AWS services?

2 Answers
1

You can use IAM policies attached to roles or users to define permissions. In your case, IAM roles synchronized with AD groups would be central. You can use policy variables to assign permissions dynamically. For instance, you can use ${aws:username} or custom attributes from SAML assertions (when users federate into AWS using an AD identity) as variables in your IAM policies to grant access based on AD group membership. The ${aws:username} variable is used to insert the federated user's username into the policy, and a hypothetical ${aws:groups} variable (you would replace this with the actual name of the SAML attribute you use) is used to ensure the user can only access folders in the bucket that match their AD group names.

Example IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAllMyBuckets",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "LimitedAccessToSpecificBucket",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::company-bucket",
                "arn:aws:s3:::company-bucket/${aws:groups}/*"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${aws:groups}/*",
                        "${aws:groups}"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        }
    ]
}

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
answered a month ago
1

If you want to access S3 objects through filesystem, FSx Lustre would provide POSIX compatible file system access.

https://aws.amazon.com/blogs/aws/enhanced-amazon-s3-integration-for-amazon-fsx-for-lustre/

profile picture
EXPERT
Kallu
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions