Home > Mobile >  Condition on SCP policies for S3 buckets
Condition on SCP policies for S3 buckets

Time:09-30

Kindly ask you to help with conditions on SCP. I need to have a policy that will block all actions on all S3 buckets but exclude particular buckets (like with prefix secret-bucket-*)

I didn't find any solution for bucket names only for the prefix of the object and tried with tags, but it also not working as expected:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Statement1",
        "Effect": "Deny",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "*"
        ],
        "Condition": {
            "StringNotEquals": {
                "aws:ResourceTag/secret": true
            }
        }
    }
]
}

CodePudding user response:

Would that help?

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Deny",
         "NotAction":[
            "s3:ListAllMyBuckets", 
            "s3:GetBucketLocation"  
         ],
         "Resource":[
            "arn:aws:s3:::secret-bucket-*"
         ]
       }
    ]
}

CodePudding user response:

Use a policy that only allows the actions on the buckets with a certain prefix in the bucket name:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Allow",
         "Action":[
            "s3:*"
         ],
         "Resource":[
            "arn:aws:s3:::secret-bucket-*"
         ]
       }
    ]
}

all other resources will be implicitly denied.

Page link:https//www.codepudding.com/Mobile/561053.html

Prev:How to catch an error thrown inside an imported module
Next:How to upload dynamically generated file to S3 bucket using lambda with PHP?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding