Home > database >  AWS IAM Policy to Deny all buckets except one
AWS IAM Policy to Deny all buckets except one

Time:10-04

I'm trying to create a IAM policy to give read-only permissions on a specific bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

The problem is that I have some buckets which are public, so I want to deny every permission on those buckets, I tried to write something like the following in the policy but doesn't work. My idea is to deny everything outside my specific bucket.

{
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "s3:prefix": [
                        "mybucket",
                        "mybucket/",
                        "mybucket/*"
                    ]
                }
            }
        },

CodePudding user response:

I solved myself with a different approach, since s3:prefix applies only to a subset of actions, this approach won't fit my use case. Instead I can use NotResource

    {
        "Effect": "Deny",
        "Action": "*",
        "NotResource": [
            "arn:aws:s3:::mybucket",
            "arn:aws:s3:::mybucket/*"
        ]
    }

Page link:https//www.codepudding.com/database/138952.html

Prev:AWS EC2 unable to access EKS
Next:Auto failover handling in cluster mode disabled Redis ElastiCache
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding