AWS S3 bucket with limited access

0

I want to have an S3 bucket that has limited access from users in our account. The contents of the files shouldn't be accessible to all users. We have the admins in a user group. I want to add a policy to a specific bucket that only allows users in that admin group to have access. How would one achieve this?

I have looked at all the examples I can find online & I've read through posts here in re:Post, but I haven't found anything that fits what we're looking to do.

1 Answer
0

I would use tags on the principals instead of group membership with a bucket policy like this:

{
  "Id": "Policy1670278952233",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1670278950745",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "admin"
        }
      },
      "Principal": "*"
    }
  ]
}
profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.

    Changes:

    • Having just allow didn't restrict access to people without the correct role tag. Changing this to a "Deny" and the condition to "StringNotEquals" blocks people without the tag.
    • I was hoping to have this cover both access to the bucket and objects in that bucket. To do that I needed to add a 2nd resource for the items in the bucket.
  • Resulting policy:

    {
        "Version": "2012-10-17",
        "Id": "Policy1670282433764",
        "Statement": [
            {
                "Sid": "Stmt1670282432513",
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::bucket-name",
                    "arn:aws:s3:::bucket-name/*"
                ],
                "Condition": {
                    "StringNotEquals": {
                        "aws:PrincipalTag/role": "admin"
                    }
                }
            }
        ]
    }
    
  • One question about this approach I have. Since the principle is set to "*" will users in other accounts who have the correct tag be allowed to access the bucket?

  • That's a good point. Add the ARN to the Principal to limit to users with your account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions