How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon S3 bucket policy?

Last updated: 2020-09-18

How can I use wildcards with explicit deny with Principal elements instead of NotPrincipal elements in an Amazon Simple Storage Service (Amazon S3) bucket policy?

Short description

You can prevent specific AWS Identity and Access Management (IAM) entities from accessing your Amazon S3 buckets by designating permissions in a bucket policy that uses the NotPrincipal element and explicit deny. For more information, see using NotPrincipal with Deny.

However, because wildcards aren't supported with the NotPrincipal element, you must use Principal as the target entity in each statement block, which includes the condition for each allow block.

Resolution

Instead of using NotPrincipal, use Principal as the target entity in each statement block, which includes the condition for each allow block.

Before beginning, you must have the following resources:

An S3 bucket
An IAM role
An Amazon Elastic Compute Cloud (Amazon EC2) instance with an IAM role, or you can switch to an IAM role
The unique ID for the IAM entity, or you can perform an IAM API call to get the unique ID

In this example, wildcards are used in aws:userid to include all names that are passed by the calling process (such as application, service, or instance ID) when it calls to get temporary credentials. For more information, see Information available in all requests. The root account is included to prevent lockout.

Note: Be sure that you replace the example names with your own role IDs and bucket names.

StringNotLike in the deny block:

"Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }

Here is the complete policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": [
                "arn:aws:iam::444455556666:role/cross-account-read-only-role"
            ],
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::awsexamplebucket1"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": [
                "arn:aws:iam::444455556666:role/cross-account-read-only-role"
            ],
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::awsexamplebucket1/*"
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }
        }
    ]
}

Related information

How to restrict Amazon S3 bucket access to a specific IAM role

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support