Home > database >  AWS S3 bucket policy to deny everything to everyone except for one IAM user?
AWS S3 bucket policy to deny everything to everyone except for one IAM user?

Time:06-19

I have a small node application which resizes an image locally then sends it off to my S3 bucket. The issue is that I want to only accept image upload by a specific IAM user. I've tried all combinations of bucket policies and none of them seem to work. They either completely disable upload, or allow it for anyone. I'm slowly losing my mind with how bad the policies approach is when you can't achieve something this simple.

Any help?

CodePudding user response:

To manage resource access within AWS the recommendation is to use IAM roles, not users (especially when used directly instead of within a group), so any user/application/service can assume that role when needed. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Still, if that is what you want, a policy that should work is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::IdOfYourAWSAccount:user/NameOfYourUser",
                "arn:aws:iam::IdOfYourAWSAccount:root"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::YourBucket",
                   "arn:aws:s3:::YourBucket/*"]
    }
  ]
}

CodePudding user response:

By default, buckets are private. This is good, since nobody has permission to upload or download to it.

Since you wish to grant access to a specific IAM user, you should add a policy to the IAM User rather than a Bucket Policy. So, keep the Bucket Policy empty.

You would add a policy like this to your IAM User:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::BUCKETNAME/*"
    }
  ]
}

This allows them to upload objects (PutObject) to the bucket.

  • Related