I have the following user configuration:
namespace: s3test
user: s3test
subuser: backup (set up with s3 credentials instead of swift)
I want to define a bucket policy that explicitly prevents the backup user from putting to a bucket called hedgehogs
, which was created by the s3test
user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPutToHedgehogsForBackup",
"Effect": "Deny",
"Principal": {
"CanonicalUser": "s3test:backup"
},
"Action": ["s3:PutObject"],
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}
]
}
However, this seems to prevent both s3test
and s3test:backup
from putting to hedgehogs
.
Is something wrong with my policy syntax or does that mean that subusers configured with s3 credentials is just another way of accessing s3 with the main user permissions?
Your bucket policy should be like this:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}]
}