AWS Deny NotPrincipal Bucket Policy – Configuration Guide

I have an AWS S3 bucket called test33333 I need to lock down to minimum necessary permissions. I've created a bucket policy to Deny all except user account MyUser a role MyRole. (account name xxx out)

{
    "Version": "2012-10-17",
    "Id": "Policy1571158084375",
    "Statement": [
         {
            "Sid": "Stmt1568227480842",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxx:role/MyRole",
                    "arn:aws:iam::xxxxxxxxxxxxx:user/MyUser"
                ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test33333"
        }
    ]
}

Apparently this doesn't work, even though MyRole and MyUser both have full S3 read access and can read and write to this bucket when the above bucket policy is deleted.

What am I missing? I thought this policy above should just refuse everyone but MyUser and MyRole and then use existing policies attached to the users to grant access. Ultimately I'd like for the bucket policy to control all access and not have to explicitly grant users or roles access to buckets via policies.

I've tried everything I can think of thus far.
Thanks!

Best Answer

It sounds like you might need to specify both the bucket and its contents in the Resource tag - some permissions apply directly to the bucket only and other permissions apply to objects only, e.g.

"Resource": [
            "arn:aws:s3:::test33333",
            "arn:aws:s3:::test33333/*"
        ]

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html#specifying-notprincipal

Best Answer

Related Solutions

amazon-web-services – S3 Logs Not Appearing in Targeted Bucket

Amazon S3 – How to Create a Public Read and Download Only Bucket

Related Topic