Home > Software design >  "Implicitly denied" when I've explicitly allowed S3 IAM user actions in AWS Policy Si
"Implicitly denied" when I've explicitly allowed S3 IAM user actions in AWS Policy Si

Time:11-09

I am trying to simulate an IAM policy I want to attach to a user so I can restrict their access to two buckets, one for file upload and one for file download.

The policy simulator tells me that the following policy does not work and I cannot figure out why, but it seems to be to do with the wildcards.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket-*-report-output/*.csv"
            ]
        },
        {
            "Sid": "PutObjects",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::mybucket-*-report-input/*.csv"
            ]
        }
    ]
}

The policy simulator says the following policy does work however:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket-*-report-output"
            ]
        },
        {
            "Sid": "PutObjects",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::mybucket-*-report-input"
            ]
        }
    ]
}

There must be something I am missing about how to structure the policy, but I want to restrict access to the buckets in the policy, for the operations mentioned, but I also want to ensure that the user can only add and retrieve files with .csv extension.

Below is a screenshot of the simulator:

enter image description here

CodePudding user response:

Your policy is 100% correct - the IAM Policy Simulator is showing wrong results for some absurd reason.

I also can reproduce your problem using the above policy, and the results are all over the place - sometimes both allowed, both denied, only one allowed etc.

It seems to be having an issue with the double wildcard, and sometimes it is coming back with the wrong resource ARN being evaluated in the HTTP response being returned (I'm sometimes seeing both ARNs set to output instead of only 1 set to output in the network tab for the HTTP response - caching?).

It's not limited to PutObject either only and it's giving me loads of conflicting results with the double wildcard, even for other actions like s3:RestoreObject.

Regardless, I'm not sure what the issue is but your policy is correct - ignore IAM Policy Simulator in this case.

If you have access to AWS Support, I would create a support ticket there or post this same question as a potential bug on the enter image description here

CodePudding user response:

The following are valid and supported uses of the wildcard:

arn:aws:s3:::mybucket-xyz-report-output/*
arn:aws:s3:::mybucket-*-report-output/*
arn:aws:s3:::mybucket-*-*-output/*
arn:aws:s3:::mybucket-*-*-output/*

To the best of my knowledge, the following are not supported:

arn:aws:s3:::mybucket-xyz-report-output/*.csv
arn:aws:s3:::mybucket-*-report-output/*.csv

Specifically you may terminate a resource with a wildcard or you may use a wildcard within an ARN segment (the parts separated by colons), but not elsewhere. The *.csv that you are using is not within the ARN segment. This is not your typical regular expression support.

Page link:https//www.codepudding.com/Softwaredesign/184043.html

Prev:How to protect AWS tagged resources via SCP?
Next:Is there a way to assign one static elastic IP to multiple instances?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding