使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS S3 bucket with limited access

0

I want to have an S3 bucket that has limited access from users in our account. The contents of the files shouldn't be accessible to all users. We have the admins in a user group. I want to add a policy to a specific bucket that only allows users in that admin group to have access. How would one achieve this?

I have looked at all the examples I can find online & I've read through posts here in re:Post, but I haven't found anything that fits what we're looking to do.

主題
儲存空間安全性、身分識別與合規
標籤
Amazon Simple Storage ServiceAWS Identity and Access Management儲存空間IAM 政策
語言
English
acrookes-fe
已提問 1 年前檢視次數 267 次
1 個回答
0

I would use tags on the principals instead of group membership with a bucket policy like this:

{
  "Id": "Policy1670278952233",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1670278950745",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "admin"
        }
      },
      "Principal": "*"
    }
  ]
}
profile pictureAWS
專家
kentrad
已回答 1 年前
  • acrookes-fe
    1 年前

    Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.

    Changes:

    • Having just allow didn't restrict access to people without the correct role tag. Changing this to a "Deny" and the condition to "StringNotEquals" blocks people without the tag.
    • I was hoping to have this cover both access to the bucket and objects in that bucket. To do that I needed to add a 2nd resource for the items in the bucket.
  • acrookes-fe
    1 年前

    Resulting policy:

    {
    "Version": "2012-10-17",
    "Id": "Policy1670282433764",
    "Statement": [
        {
            "Sid": "Stmt1670282432513",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalTag/role": "admin"
                }
            }
        }
    ]
}
  • acrookes-fe
    1 年前

    One question about this approach I have. Since the principle is set to "*" will users in other accounts who have the correct tag be allowed to access the bucket?

  • kentrad 專家
    1 年前

    That's a good point. Add the ARN to the Principal to limit to users with your account.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容