All geek questions in one place

How can I fulfill the OR condition in the S3 basket policy?

I am working on S3 basket policy. The idea is to explicitly deny access to all IAM users in the account, except for those that are explicitly granted.

I found a blog post explaining how to restrict access to a specific user. It works well. However, I want to extend the syntax to include a second IAM user who will be allowed access. This is essentially an OR condition.

But I'm very new to JSON, and I'm not sure how to do this.

Here is a policy that works to restrict access to a single user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDA<obfuscated id>:*",
                        "AIDA<obfuscated id>",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}

Can someone help me modify the above JSON to allow the OR condition, where could I specify an additional user id that will be allowed?

AdvThanksance!

+4
2

, .

Condition StringgNotLike, .

, , Condition /. , , , . , .

, , :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-private-bucket",
                "arn:aws:s3:::my-private-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDA<obfuscated-id-1>:*",
                        "AIDA<obfuscated-id-1>",
                        "AIDA<obfuscated-id-2>:*",
                        "AIDA<obfuscated-id-2>",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}

, , , .

+1

deny, , .

IAM, . , :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAllS3ActionsForSpecificIAMUsers",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account-number-without-hyphens>:user/<username1>",
          "arn:aws:iam::<account-number-without-hyphens>:user/<username2>"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket", 
        "arn:aws:s3:::my-bucket/*"
      ]
    } 
  ]
}

Principal .

0

Source: https://habr.com/ru/post/1671062/

More articles:


All Articles