Access point policy is not restricting the access to bucket

Question

I have a bucket which restricts access to it only through access policy. I see that it is not working as expected. Here is the bucket policy -
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::admin-only-bucket",
                "arn:aws:s3:::admin-only-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:DataAccessPointAccount": "xxxxxxxxxxxx"
                }
            }
        }
    ]
}
```

The access point has the following policy -
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}
```

My intent is to restrict the bucket only to the admin user.  When I list the objects in the bucket 'admin-only-accesspoint', it is working fine. 
`aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile admin
`
But I am also able to do list objects with another user 'staff'. 
`aws s3api list-objects --bucket arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint --profile staff
`

Just wondering why the access is not restricted to admin user.

Accepted Answer

I see that it is working as expected if I change the policy as

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}
```
Apparently, the access point policy allows everything by default unless there is a deny.

Better solution is this one - 
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: xxxxxxxxxxxx:user/admin"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:us-east-1: xxxxxxxxxxxx:accesspoint/admin-only-accesspoint"
        }
    ]
}
```
The issue was that all the users I was trying had all the permissions for S3. So, I removed the all the S3 permissions for users and allowed them access only through the bucket and access point policy which resolved the issue.

So if the identity has permission to access S3, bucket and access point has no impact unless there is explicit deny

Answer

You've answered this yourself but for others reading along, this is explained in a lot of detail [in the documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).

A common thing that has tripped me up in the past is that if the IAM policy for the role I'm using allows access to a S3 bucket; and the S3 bucket policy doesn't include my identity specifically **and** doesn't deny me access then I'm allowed access - because (as you point out) there isn't an explicit deny. If my IAM policy did **not** allow me access in the first place then I wouldn't have access because the implicit deny would stop me.

Answer

Try using the following policies:

IAM Policy:

```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"IAMPolicyForS3BucketAccess",
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetObject",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::my-bucket",
            "arn:aws:s3:::my-bucket/*"
         ]
      }
   ]
}
```

Bucket Policy:

```
{
   "Id":"Policy1585661668608",
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyRequestThatDoNotUseTheAccessPointAccount",
         "Effect":"Deny",
         "Principal":{
            "AWS":[
               "arn:aws:iam::111111111111:root"
            ]
         },
         "Action":[
            "s3:GetObject",
            "s3:ListBucket",
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::admin-only-bucket",
            "arn:aws:s3:::admin-only-bucket/*"
         ],
         "Condition":{
            "StringNotEquals":{
               "s3:DataAccessPointAccount":"111111111111"
            }
         }
      }
   ]
}
```

Access Point Policy:

```
{
   "Version":"2008-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::111111111111:user/admin"
         },
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:us-east-1:111111111111:accesspoint/admin-only-accesspoint"
      }
   ]
}
```

Access point policy is not restricting the access to bucket

相关内容