I'm trying to restrict my bucket to deny everything, but allow uploads from one specific IAM user and get objects based on referer header. Here is my policy:
{
"Version": "2012-10-17",
"Id": "Meteor refer policy",
"Statement": [
{
"Sid": "allow upload",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556754141176:user/username"
},
"Action": "s3:PutObject*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
},
{
"Sid": "Allow get",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://myapp.com*",
"http://localhost*"
]
}
}
},
{
"Sid": "Explicit deny",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://myapp.com*",
"http://localhost*"
]
}
}
}
]
}
This policy correctly enforces the GetObject directive to only the referer header, but I'm not able to upload anything with that user like I stated. If I take out the explicit deny, I can access the object from anywhere and the referer doesn't matter. What is wrong with my policy? Also, I can't access anything in the bucket from the console. What do I need to do for that?
Thanks,
By default, all content in an Amazon S3 bucket is private. So, just add access to users that should be permitted.
Also, merely granting PutObject will only allow that API call and will not permit access via the AWS Management Console, which requires permissions like ListAllMyBuckets. So, make sure the uploading user either has the necessary permissions, or only uses the API calls that it are permitted.
Therefore:
GetObject policy, you should also remove "Resource": "bucketname/*", because that is explicit in the fact that the Bucket Policy applies to the bucket to which it is attachedPutObject OR grant additional permissions to be able to use the AWS Management Console for Amazon S3 (shown below)Here is a set of permissions that would grant upload access within the Amazon S3 management console (with thanks to Is there an S3 policy for limiting access to only see/access one bucket?):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments