Home > Enterprise >  AWS S3 bucket policy with condition
AWS S3 bucket policy with condition

Time:01-10

I am new to S3 bucket polices. In S3 documentation, I found one Bucket policy(attached below). I am not sure what does mean. Does it mean, No-one can do any action(put, read, delete,...) except this user:"AROAEXAMPLEID:*","AIDAEXAMPLEID","111111111111"? Can anyone please verify?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEID",
            "111111111111"
          ]
        }
      }
    }
  ]
}

CodePudding user response:

Lets break the policy part by part to help you better understand

 "Principal": "*", - all users 
 "Action": "s3:*" - all actions related to s3
 "Resource": [
    "arn:aws:s3:::MyExampleBucket",
    "arn:aws:s3:::MyExampleBucket/*"
  ] - for my example buckets and its objects

Now lets understand condition

"Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEID",
            "111111111111"
          ]
        } 

if string does not contain the mentioned userid which means this condition is true, if this condition is true since effect= Deny is true which means users which do no have the mentioned user id wont be able to perform s3 actions on these buckets.

If this condition is not true which means if it contains userid which are mentioned which means they will be able to perform all s3 operations on the mentioned bucket.

  • Related