AWS IAM group policy on S3 resource affecting othe

2019-07-20 06:35发布

站内文章 / 前端开发
20 0 0

问题:

This is a follow-up but independant question from AWS s3 bucket policy invalid group principal

I have 2 groups: Developers and Collaborators. Devlopers have the preconfigured "PowerUser" group policy. Collaborators have the following group policy

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::bucket/*.txt"
      }           
   ]
}

The bucket has the following policy to deny upload of unencrypted .txt files:

{
    "Version": "2008-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*.txt",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}

The behavior i expect: "Developer" group can put any type of file, ".txt" files must be encrypted, including making directories. "Collaborator" group can put, get and delete ".txt" files only, they cannot make directories.

The behavior i get is as expected for "Developer". The behavior of "Collaborators" is identical to developers, they can put any file when they should only be able to put ".txt" files.

What am I doing wrong?

回答1:

If you are sure this policy is only attached to the Collaborators groups than the Developers should not be effected.

From your related question, it seems you originally tried a bucket policy. Do you still have a bucket policy applied that restricts the whole bucket to *.txt files? Try removing any existing bucket policy.



回答2:

After a lot of trial and error I attempted to do most of the permissions at the bucket level, got some unexpected behavior and had to split it over both group and bucket policy. Here is my group policy for "Collaborators":

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::bucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject"            
         ],
         "Resource":"arn:aws:s3:::bucket/*"
      }

   ]
}

Here is the bucket policy that only allows upload and delete of ".txt" files by the four users in the "Collaborator" group:

{
    "Version": "2008-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*.txt",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "CelOnly",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/collaborator1",
                    "arn:aws:iam::111122223333:user/collaborator2",
                    "arn:aws:iam::111122223333:user/collaborator3",
                    "arn:aws:iam::111122223333:user/collaborator4"
                ]
            },
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "NotResource": "arn:aws:s3:::bucket/*.txt"
        }
    ]
}

Including s3:GetObject in the bucket policy did not allow downloads of ".txt" files that why i had to move it to group policy. I'm still unsure why it took so much trial and error and some of my other solutions such as that in the original question did not work. but at least this is the answer to my problem.



标签: amazon-web-services amazon-s3
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~