Clever Geek Handbook

AWS: Limit IAM user to specific folder in S3 bucket

So I was trying to define a policy to restrict the IAM user group to a specific folder in the S3 bucket with no success. I have canceled the policy outlined in this blog post. http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke

Specifically, I am using the following:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringEquals":{"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
   }
 ]
}

Unfortunately, this policy for some reason allows users to navigate not only to the specified folder, but also to other folders located in the same bucket. How can I restrict users so that they can only navigate the specified folder?

+3


source to share


2 answers


I hope this documentation helps you, the steps are broken down and pretty simple:

http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html

You can also use policy variables.

It allows you to specify placeholders in the policy. When the policy is evaluated, the policy variables are replaced with values ​​that come from the request itself. For example -${aws:username}:




Alternatively, you can also check this question on Stackoverflow (if similar):

Prevent the user from even knowing about other users (folders) on AWS S3

0


source


I have said this before, but I will answer again from here. Your best bet is to create a user and then add it to the group and then assign the group to r / w bucket. This is a typical example of how to write a policy



{
  "Statement": [
    {
      "Sid": "sidgoeshere",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::s3bucket",
        "arn:aws:s3:::s3bucket/*"
      ]
    }
  ]
}
-3


source






More articles:


All Articles