Home > Blockchain >  How to combine existing S3 bucket policy statements?
How to combine existing S3 bucket policy statements?

Time:11-09

I have a S3 bucket, that I want to allow access to anybody who passes a specific user agent. At the same time, I want to allow access to a set of AWS account IDs as well (whom do not have to pass the user agent for access)

I already have 2 policies that satisfy each of these conditions, but I want to have 1 policy for the bucket that satisfies both of the conditions.

The first policy that allows access based on user agent (user_agent1, user_agent2)

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow-username-and-password-access",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dumps/*",
            "Condition": {
                "ForAllValues:StringNotEquals": {
                    "aws:UserAgent": [
                        "user_agent1",
                        "user_agent2"
                    ]
                }
            }
        }
    ]
}

The 2nd bucket policy that allows access based on account ID (1 and 2)

{
"Version": "2012-10-17",
"Id": "Policy1606557924566",
"Statement": [
    {
        "Sid": "Stmt1606557921184",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::dumps/*"
    }
]

}

In plain English, I want access to be allowed if the account ID is 1 or 2, OR if the user passing user_agent1 or user_agent2 as an user agent (from any account ID)

How can I construct a bucket policy for this?

CodePudding user response:

You can have multiple statements in one policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow-username-and-password-access",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dumps/*",
            "Condition": {
                "ForAllValues:StringNotEquals": {
                    "aws:UserAgent": [
                        "user_agent1",
                        "user_agent2"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1606557921184",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dumps/*"
        }        
    ]
}

CodePudding user response:

Just combine the statements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow-username-and-password-access",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dumps/*",
            "Condition": {
                "ForAllValues:StringNotEquals": {
                    "aws:UserAgent": [
                        "user_agent1",
                        "user_agent2"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1606557921184",
            "Effect": "Allow",
            "Principal": {
                "AWS":  ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dumps/*"
        }
    ]
}
  • Related