I have a S3 bucket, that I want to allow access to anybody who passes a specific user agent. At the same time, I want to allow access to a set of AWS account IDs as well (whom do not have to pass the user agent for access)
I already have 2 policies that satisfy each of these conditions, but I want to have 1 policy for the bucket that satisfies both of the conditions.
The first policy that allows access based on user agent (user_agent1, user_agent2)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"user_agent1",
"user_agent2"
]
}
}
}
]
}
The 2nd bucket policy that allows access based on account ID (1 and 2)
{
"Version": "2012-10-17",
"Id": "Policy1606557924566",
"Statement": [
{
"Sid": "Stmt1606557921184",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*"
}
]
}
In plain English, I want access to be allowed if the account ID is 1 or 2, OR if the user passing user_agent1 or user_agent2 as an user agent (from any account ID)
How can I construct a bucket policy for this?
CodePudding user response:
You can have multiple statements in one policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"user_agent1",
"user_agent2"
]
}
}
},
{
"Sid": "Stmt1606557921184",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*"
}
]
}
CodePudding user response:
Just combine the statements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"user_agent1",
"user_agent2"
]
}
}
},
{
"Sid": "Stmt1606557921184",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*"
}
]
}