S3 Bucket Policy to Allow access to specific users and restrict all

13,302

To achieve what you want, use an explicit deny with a NotPrincipal policy element. The policy below will ensure no other user can access the buckets other than the users listed in the NotPrincipal element:

{
        "Id": "bucketPolicy",
        "Statement": [
                {
                        "Action": "s3:*",
                        "Effect": "Deny",
                        "NotPrincipal": {
                                "AWS": [
                                        "arn:aws:iam::1234567890:user/alloweduser"
                                ]
                        },
                        "Resource": [
                                "arn:aws:s3:::examplebucket",
                                "arn:aws:s3:::examplebucket/*"
                        ]
                }
        ],
        "Version": "2012-10-17"
}

13,302

Author by

rocky

Updated on July 28, 2022

Comments

rocky almost 2 years

I searched through existing questions and couldnt find an answer. Hence posting here.

I want to restrict access to a S3 bucket to all users except select few users using S3 Bucket policy. I understand IAM policy is easy to manage and administer, i dont like to create roles and groups for this specific case and want S3 bucket policy created.

Here is what i have tried so far and it is not restricting access to users as expected.

{
  "Version": "2012-10-17",
  "Id": "bucketPolicy",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/allowedusername"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    },
    {

      "Effect": "Deny",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/denieduser"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    }

  ]
}

I tried to deny all like below but that explicit deny took precedence over allow and i myself am not able to access the bucket now ;-( Thats another issue i have

{

          "Effect": "Deny",
          "Principal": {
            "AWS": ["*"]
          },
          "Action": "s3:*",
          "Resource": ["arn:aws:s3:::examplebucket",
                       "arn:aws:s3:::examplebucket/*"]
        }

lft93ryt over 6 years

I get the following error: This policy contains the following error: Has prohibited field Id For more information about the IAM policy grammar, see AWS IAM Policies.
ImPurshu about 5 years

@excessivedemon What if any AWS service wants to access this bucket? i.e EMR or redshift.
user1297406 over 4 years

Same question as @ImPurshu , what if in the same time we want other services to access the bucket ?
clg4 over 3 years

where do we add the above policy? you can't add principal policies in the Policies section, or attached to users. Do you add it to the bucket? if so, how?