How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon S3 bucket policy?
Last updated: 2020-09-18
How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon Simple Storage Service (Amazon S3) bucket policy?
Short description
You can prevent specific AWS Identity and Access Management (IAM) entities from accessing your Amazon S3 buckets by designating permissions in a bucket policy that uses the NotPrincipal element and explicit deny. For more information, see using NotPrincipal with Deny.
However, because wildcards aren't supported with the NotPrincipal element, you must use Principal as the target entity in each statement block, which includes the condition for each allow block.
Resolution
Instead of using NotPrincipal, use Principal as the target entity in each statement block, which includes the condition for each allow block.
Before beginning, you must have the following resources:
- An S3 bucket
- An IAM role
- An Amazon Elastic Compute Cloud (Amazon EC2) instance with an IAM role, or you can switch to an IAM role
- The unique ID for the IAM entity, or you can perform an IAM API call to get the unique ID
In this example, wildcards are used in aws:userid to include all names that are passed by the calling process (such as application, service, or instance ID) when it calls to get temporary credentials. For more information, see Information available in all requests. The root account is included to prevent lockout.
Note: Be sure that you replace the example names with your own role IDs and bucket names.
StringNotLike in the deny block:
"Condition": {
"StringNotLike": {
"aws:userid": [
"AROAID2GEXAMPLEROLEID:*",
"444455556666"
]
}
}
Here is the complete policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": [
"arn:aws:iam::444455556666:role/cross-account-read-only-role"
],
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::awsexamplebucket1"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": [
"arn:aws:iam::444455556666:role/cross-account-read-only-role"
],
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::awsexamplebucket1/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"AROAID2GEXAMPLEROLEID:*",
"444455556666"
]
}
}
}
]
}
Related information
Did this article help?
Do you need billing or technical support?