Home > database >  S3 tagging and access control policies not working for limiting the tags keyset on an object
S3 tagging and access control policies not working for limiting the tags keyset on an object

Time:12-06

Trying to restrict tags to only a given set of keys that can be attached to the objects. Using bucket level policies to define this condition. However, the logic is not working. Bucket policy (https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-Id>:user/AdminUser"
            },
            "Action": "s3:PutObjectTagging",
            "Resource": "arn:aws:s3:::test-notifications-per-prefix/*",
            "Condition": {
                "ForAllValues:StringLike": {
                    "s3:RequestObjectTagKeys": "LIFE"
                }
            }
        }
    ]
}

Boto3 code to upload the object

s3 = boto3.client('s3')
response = s3.put_object_tagging(
    Bucket='test-notifications-per-prefix',
    Key="file.txt",
    Tagging = {
        'TagSet': [
            {
                'Key': "TEST",
                'Value': "SHORTTERM"
            }
        ]
    }
)

The object is still getting uploaded when i run the above code.

I am not able to figure out as why this is happening. Tried denying object tagging in the bucket policy (removed the condition from the policy and made the effect as Deny) then any object uploaded with a tag was throwing an access denied error. (so, the rules are being applied for sure)

Can you please let me know as what i am doing wrong here?

CodePudding user response:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::<account-id>:user/AdminUser"
            },
            "Action": "s3:PutObjectTagging",
            "Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:RequestObjectTag/LIFE": [
                        "2",
                        "15"
                    ]
                }
            }
        }
    ]
}

Able to restrict the key and value pairs in my S3 bucket using the following bucket policy. An explicit deny is denying all the requests coming from the principal that do not have the following tags.

However, this policy will not work for object that are uploaded without tags.

EDIT:

We can define the below policy defined for a role to enforce the tags that are uploaded with given key and value pairs

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
        "Condition": {
            "ForAnyValue:StringEquals": {
                "s3:RequestObjectTagKeys": "LIFE"
            },
            "ForAllValues:StringEquals": {
                "s3:RequestObjectTag/LIFE": ["2", "15"]
            }
        }
    }
]

}

Page link:https//www.codepudding.com/database/633831.html

Prev:How to restore objects from amazon glacier to standard tier permanently in a s3 bucket using python?
Next:Terraform: Codepipeline not triggered on upload to s3 source bucket
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding