S3 Bucket Policy to Allow access to specific users and restrict all
To achieve what you want, use an explicit deny with a NotPrincipal
policy element. The policy below will ensure no other user can access the buckets other than the users listed in the NotPrincipal
element:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/alloweduser"
]
},
"Resource": [
"arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"
]
}
],
"Version": "2012-10-17"
}
rocky
Updated on July 28, 2022Comments
-
rocky almost 2 years
I searched through existing questions and couldnt find an answer. Hence posting here.
I want to restrict access to a S3 bucket to all users except select few users using S3 Bucket policy. I understand IAM policy is easy to manage and administer, i dont like to create roles and groups for this specific case and want S3 bucket policy created.
Here is what i have tried so far and it is not restricting access to users as expected.
{ "Version": "2012-10-17", "Id": "bucketPolicy", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::1234567890:user/allowedusername"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"] }, { "Effect": "Deny", "Principal": { "AWS": ["arn:aws:iam::1234567890:user/denieduser"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"] } ] }
I tried to deny all like below but that explicit deny took precedence over allow and i myself am not able to access the bucket now ;-( Thats another issue i have
{ "Effect": "Deny", "Principal": { "AWS": ["*"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"] }
-
lft93ryt over 6 yearsI get the following error:
This policy contains the following error: Has prohibited field Id For more information about the IAM policy grammar, see AWS IAM Policies.
-
ImPurshu about 5 years@excessivedemon What if any AWS service wants to access this bucket? i.e EMR or redshift.
-
user1297406 over 4 yearsSame question as @ImPurshu , what if in the same time we want other services to access the bucket ?
-
clg4 over 3 yearswhere do we add the above policy? you can't add principal policies in the Policies section, or attached to users. Do you add it to the bucket? if so, how?