发表新帖
发表新帖

Restrict List of Buckets for a Specific User

前端 未结
关注
4 2029
梦谈多话
梦谈多话 2020-12-03 12:00

I\'ve been able to generate a user policy that only gives access to a specific bucket, however after trying everything (including this post: Is there an S3 policy for limiti

4条回答
  • 一整个雨季
    一整个雨季 (楼主)
    2020-12-03 12:27

    I came here looking for how to restrict access to a bucket to one (or a list of) user(s). Maybe, post title is ambiguous ?

    Anyway, it seems to have Google's favor, so let's enrich it a little :
    If you need to restrict access to a bucket to some user(s), follow those steps :


    First, get the IDs of the user you want to grant rights to.
    This can be achieved using the awscli command aws iam list-users
    Those IDs look like this : "AIDAIFKYAC9DNJXM2CRD", or "AIDAZ362UEKJCJMFFXCL"
    Please, comment if it's available in the web console.

    Once you got the ID(s) that must be given access, put a policy on the bucket you want to protect.
    To do this with the web console :
    -> Open S3 -> Open your bucket -> Select the "properties" tab -> Click on "Edit bucket policy"

    To apply the policy using awscli, create a file with the policy's content, and put it on your bucket using this command :
    aws s3api put-bucket-policy --bucket NAME_OF_YOUR_BUCKET --policy file:///path/to/policyFile.json
    Of course, set YOUR_BUCKET_NAME and the file's path to your values, BUT DON'T remove the file:// prefix before your file's name


    Warning : this deny policy will override the default "access to s3" a user could have. This means you can deny access to your OWN user with this. Use with caution !
    I'm even afraid you could make a bucket fully innaccessible.
    Out of curiosity, I tried accessing with our account's root user, which I didn't grant access to, and effectively couldn't.
    Gotta ask this to support, and hopefully update this answer.

    Anyway, I'm sure you'll be careful enough, so here's a sample policy.
    Just replace the bucket's name with yours and the userId(s) with the one(s) you want to authorize to access.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AIDAXAXAXAXAXAXAXAXAX",
            "AIDAOXOXOXOXOXOOXOXOX",
            "AIDAXIXIXIXIXIXIXIXIX"
          ]
        }
      }
    }
  ]
}

    For something more specific, or if you want to use roles instead of users, see this AWS post explaining in detail how to restrict access to a buckets

    Hope this helps

    0 讨论(0)
 看不清?
提交回复
热议问题