How do I use wildcards with a Principal element and explicit deny in an Amazon S3 bucket policy?
I want to use wildcards with a Principal element and an explicit deny in an Amazon Simple Storage Service (Amazon S3) bucket policy.
Short description
To prevent access to your Amazon S3 buckets made by AWS Identity and Access Management (IAM) entities, designate specific permissions in a bucket policy. The bucket policy must use a NotPrincipal element and an explicit deny. For more information, see Specifying NotPrincipal with Deny.
However, because Amazon S3 doesn't support wildcards with the NotPrincipal element, you must use Principal as the target entity in each statement block. Each statement block must also include the condition for each allow block.
Resolution
First, make sure that you have the following resources:
- An S3 bucket
- An IAM role
- An Amazon Elastic Compute Cloud (Amazon EC2) instance with an IAM role, or you can switch to an IAM role
- The unique ID for the IAM entity, or you can perform an IAM API call to get the unique ID
The following example uses wildcards in aws:userid to include all names that the calling process passes. For example, this includes the wildcards for an application, service, or instance ID when users make calls to obtain temporary credentials. For more information, see Request information that you can use for policy variables. To prevent lockout, this examples includes the AWS account root user.
Note: Be sure that you replace the example names with your own role IDs and bucket names.
Here's the complete example policy. Note the StringNotLike condition in the deny block:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::444455556666:role/s3-access-role" ] }, "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::awsexamplebucket1" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::444455556666:role/s3-access-role" ] }, "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::awsexamplebucket1/*" }, { "Sid": "", "Effect": "Deny", "Principal": "*", "Action": [ "s3:ListBucket", "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::awsexamplebucket1/*", "arn:aws:s3:::awsexamplebucket1" ], "Condition": { "StringNotLike": { "aws:userid": [ "AROAID2GEXAMPLEROLEID:*", "444455556666" ] } } } ] }
Related information
How to restrict Amazon S3 bucket access to a specific IAM role
Relevant content
- Accepted Answerasked 4 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
