I'm trying to restrict users access to my bucket using my bucket policy. I have a set of users, all of them have an S3FullAccess policy. I can't change anything in the IAM. I have only access to my bucket policy. So I want to control the user's access using the bucket policy. I'm splitting the users into 3 categories.
- Admin access to my bucket (All access to my bucket)
- User with limited access to my bucket (like get-bucket-policy, get-bucket-location)
- No access to my bucket. (No access to my bucket)
The below policy is the one I tried, but it is not working.
{
"Version": "2012-10-17",
"Id": "PolicyTesting",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<account_id>>:user/users_with_limited_access"
},
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<<my_bucket_name>>",
"arn:aws:s3:::<<my_bucket_name>>/*"
]
},
{
"Sid": "1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::<<account_id>>:user/admin_users"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<<my_bucket_name>>",
"arn:aws:s3:::<<my_bucket_name>>/*"
]
}
]
}
I tried the above policy, but only the admin users alone can access the bucket. The users with limited access unable to perform their granted actions like get-bucket-policy, get-bucket-location.They are getting an Access Denied exception. Help me to resolve this.
There is no priority order in AWS IAM policies. Please refer to the policy evaluation logic here.
The AWS enforcement code evaluates all policies within the account that apply to the request. If the code finds even one explicit deny that applies, the code returns a final decision of Deny.
Your current policy Deny all users except admin-users any S3 actions. Hence users_with_limited_access is unable to perform granted actions.
Please update your policy with the appropriate Principal(as per comments in your question) and refer to the updated policy below to make it work.