I have one S3 bucket for which I need to deny access for all users and allow access to a specific IAM role.

I followed the doc provided by AWS. I am able to do for users but when I do for role, this does not work. Can anybody help?

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

I tried the following code in S3 bucket policy.It cause access deny for all users including lambda role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::relambda",
                "arn:aws:s3:::relambda/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:roleId": [
                        "KDCNKWDCKQWCLQKC:*",
                        "5371235537537"
                    ]
                }
            }
        }

    ]
}

You have nothing in Principal.

Please refer/use below policy.

An IAM user has a unique ID starting with AIDA that you can use for this purpose. To find this unique ID:

With the AWS CLI installed, open a command prompt or shell. Run the command: aws iam get-user -–user-name USER-NAME In the output, look for the userId string, which will begin with AIDAEXAMPLEID. When you have identified the userId string, you can place it in the “aws:userId” condition array, as shown in the following example.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEID",
            "111111111111"
          ]
        }
      }
    }
  ]
}

This should deny access to everyone except for the role using the NotPrincipal key.

{
  "Id": "DenyRoleAccess",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllRole",
      "Action": [
        "s3:*"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::BUCKET-NAME",
        "arn:aws:s3:::BUCKET-NAME/*"
      ],
      "NotPrincipal": {
        "AWS": [
          "arn:aws:iam::AWS-ACCOUNT-ID:role/ROLE-NAME"
        ]
      }
    }
  ]
}

It appears that your requirement is:

• Deny access by default
• Allow access for a specific IAM role

Fortunately, the default for all Amazon S3 buckets is to deny access by default, so this one is automatically met!

To permit access for a specific role, use a Bucket Policy like this:

{
  "Id": "AllowRoleAccess",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRole",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET-NAME",
        "arn:aws:s3:::BUCKET-NAME/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::222222222222:role/ROLE-NAME"
        ]
      }
    }
  ]
}

There are also other settings you can use to limit it to a specific EC2 instance that is using a role.