You can prevent Amazon Identify and Access Management (IAM) entities from accessing your Amazon S3 buckets by designating permissions in a bucket policy using the NotPrincipal element and explicit Deny. However, NotPrincipal does not support wildcards.

In this policy example, you must list the role session name of every user and every instance ID that will be assuming the role:

"Effect": "Deny",
"NotPrincipal": {
  "AWS": [
    "arn:aws:sts::444455556666:assumed-role/cross-account-read-only-role/cross-account-audit-app",
    "arn:aws:sts::444455556666:assumed-role/cross-account-read-only-role/instanceID",
    "arn:aws:iam::444455556666:role/cross-account-read-only-role",
    "arn:aws:iam::444455556666:root"
  ]
}

To cover all of those users and instances, you would need a wildcard in the statement to represent the assumed role: 

"arn:aws:sts::444455556666:assumed-role/cross-account-read-only-role/*"

Before beginning, you must meet the following requirements:

In this example, instead of NotPrincipal, use "Principal": "*" as the target entity in each statement block, which includes the Condition for each Allow block. Wildcards are used in "aws:userid": ["ROLE-ID:*"] to include all names that are passed by the calling process (such as application, service, or instance ID) when it makes a call to get temporary credentials. For more information, see Information Available in All Requests. The root account is included to prevent lockout:

"Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }

StringNotLike in the Deny block:

"Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }

Here is the complete policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::myExampleBucket",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::myExampleBucket/*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myExampleBucket/*",
                "arn:aws:s3:::myExampleBucket"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAID2GEXAMPLEROLEID:*",
                        "444455556666"
                    ]
                }
            }
        }
    ]
}

Note: Be sure that you replace the sample names with your own role IDs and bucket names.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-07-21