Search
Search

How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS?

Leonardo Campanha Published at Dev
45
Leonardo Campanha

I want to create an s3 bucket policy that only the Root Account can have full access, how can I do that?

Example:

   {
    "Version": "2012-10-17",
    "Statement": [            
        {
            "Sid": "Allow full access for root account user",
            "Effect": "Allow",
            "Principal": {
                "AWS": "root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::ih-deploy-bucket/*",
                "arn:aws:s3:::ih-deploy-bucket"
            ]
        }
    ]
}

Or adding a Condition Like

"Condition": {
    "StringEquals" : {"aws:username" : "rootUser"} 
}
httpdigest

This is one of the very few (if not the only) usecase for an explicit Deny with a NotPrincipal:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::<your-account-number>:root"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::ih-deploy-bucket/*",
        "arn:aws:s3:::ih-deploy-bucket"
      ]
    }
  ]
}

This will explicitly deny all principals that are not (and not only) the root account user, including IAM users, assumed role sessions and federated users in that account. And since the root user always has explicit Allows for all actions on all resources, an actual Allow is given by the root user's identity-based permissions, so the root user will have access to that bucket.

The reason why this works is that a caller identity working in your account has always multiple principals simultaneously, which are being evaluated by IAM for a policy statement:

  1. the account principal arn:aws:iam::<your-account-number>:root
  2. the user, assumed role or federated user principal

In the case of an explicit Allow if you only used the root account principal in a Principal rule in a policy statement, then any user in that account will match the allow and will be given access, since the account principal is always part of a user's principal list in that account.

However, in the case of a Deny with a NotPrincipal, things are a bit different. Here, the list of NotPrincipals must whitelist all principals of the caller's identity to be not denied.

This fact somewhat shines through in the AWS documentation about NotPrincipal: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

When you use NotPrincipal with Deny, you must also specify the account ARN of the not-denied principal. Otherwise, the policy might deny access to the entire account containing the principal. Depending on the service that you include in your policy, AWS might validate the account first and then the user. If an assumed-role user (someone who is using a role) is being evaluated, AWS might validate the account first, then the role, and then the assumed-role user.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

How do I grant cross account access to an encrypted bucket with a simple s3 bucket policy?

Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)

AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?

AWS S3 Bucket Policy: How to grant access to EC2 instance?

How to limit IAM user access to an S3 bucket from a VPN connection only

AWS IAM Policy: Restrict Bucket/Folder Access By User/Role?

Grant access to AWS S3 bucket/folder to users without AWS account

S3 bucket policy, how to ALLOW a IAM group from another account?

Access is denied even if IAM user is specified in S3 bucket policy

How to grant full permissions on an S3 bucket for an IAM user using boto3?

Can I grant access to objects owned by another account in AWS S3 using bucket policies?

S3 Bucket Policy to allow S3 Access to Current Authenicated user in AWS Console?

IAM user can only access S3 bucket when bucket is set to public

Giving access to S3 bucket to an external user without an IAM account

Access denied on AWS s3 bucket even with bucket and/or user policy

Grant access to an S3 bucket for a specific user only, no public access

IAM Policy: Users cannot access S3 bucket

S3 Policy Help - Full access for IAM user. Public read only access for single folder

AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account

AWS IAM: How to grant access for certain user to certain dynamoDB?

AWS S3: Setting a bucket policy for multiple users in an account

S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account

Grant aws iam role permissions to an iam user in same account

S3 bucket policy to set a folder readable by a referring URL, and another folder only available to AWS user

How can I grant AWS users to access website hosted by s3 bucket?

Where is policy of read/write AWS S3 for IAM user

AWS S3: user policy for specifc bucket

AWS S3 Bucket policy editor access denied

AWS - S3 - Creating a Bucket Policy - Error: Access Denied

TOP Ranking

  1. 1

    pump.io port in URL

  2. 2

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  3. 3

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  4. 4

    Inner Loop design for webscrapping

  5. 5

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  6. 6

    ggplotly no applicable method for 'plotly_build' applied to an object of class "NULL" if statements

  7. 7

    mysql.connector.errors.InterfaceError: 2003: Can't connect to MySQL server on '127.0.0.1:3306' (111 Connection refused)

  8. 8

    Removed zsh, but forgot to change shell back to bash, and now Ubuntu crashes (wsl)

  9. 9

    Ambiguous use of 'init' with CFStringTransform and Swift 3

  10. 10

    Resetting Value of <input type="time"> in Firefox

  11. 11

    Execute ./script.sh with a crontab

  12. 12

    Converting a class method to a property with a backing field

  13. 13

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  14. 14

    How to update azerothcore-wotlk docker container

  15. 15

    How to set tab order for array of cluster,where cluster elements have different data types in LabVIEW?

  16. 16

    Grails with Oracle thick OCI driver authenticate to Oracle with wrong user

  17. 17

    How to pass data to the ng2-bs3-modal?

  18. 18

    Making Array From Page Elements in jQuery

  19. 19

    Retrieve Element Tag Value XML Using Bash

  20. 20

    Laravel's ORM sync with timestamps doesn't update timestamps

  21. 21

    Do animations stop css changes after animation completion?

HotTag

Archive