How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon S3 bucket policy?

Last updated: 2020-09-18

How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon Simple Storage Service (Amazon S3) bucket policy?

Short description

You can prevent specific AWS Identity and Access Management (IAM) entities from accessing your Amazon S3 buckets by designating permissions in a bucket policy that uses the NotPrincipal element and explicit deny. For more information, see using NotPrincipal with Deny.

However, because wildcards aren't supported with the NotPrincipal element, you must use Principal as the target entity in each statement block, which includes the condition for each allow block.

Resolution

Instead of using NotPrincipal, use Principal as the target entity in each statement block, which includes the condition for each allow block.

Before beginning, you must have the following resources:

In this example, wildcards are used in aws:userid to include all names that are passed by the calling process (such as application, service, or instance ID) when it calls to get temporary credentials. For more information, see Information available in all requests. The root account is included to prevent lockout.

Note: Be sure that you replace the example names with your own role IDs and bucket names.

StringNotLike in the deny block:

"Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }

Here is the complete policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": [
                "arn:aws:iam::444455556666:role/cross-account-read-only-role"
            ],
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::awsexamplebucket1"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": [
                "arn:aws:iam::444455556666:role/cross-account-read-only-role"
            ],
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::awsexamplebucket1/*"
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }
        }
    ]
}

Did this article help?


Do you need billing or technical support?