How to provide S3 bucket access to specific IAM Identity Center (AWS SSO) users while blocking access from other users?
My company has a root AWS account and child accounts. I don't have access to the root account, so I can't tell with detail what is the exact hierarchy. Users are managed through IAM Identity Center in the root account, and from there we select which child accounts the users can access.
In one of these child accounts, we need to implement restricted access for an S3 bucket: some users must have access to the S3 bucket, while everyone else & public access will be denied.
Following this reference, I am trying to use the following policy to test the behavior:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:federated-user/user1"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
The policy was attached to the bucket using the web console. It's not working, because user1 is still able to delete objects in the bucket. Switching the CHILD_ACCOUNT_NUMBER for the root account number also has no effect.
This also doesn't work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:assumed-role/AWSReservedSSO_AdministratorAccess_xxxxxxxxxx/user1"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
because the console outputs:
Thanks to @jarmod CloudTrail tip, I was able to accomplish what I was trying to do.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"ROLE_ID:user1",
"ROLE_ID:user2"
]
}
}
}
]
}
where ROLE_ID is the ID of the role the users assume when logging into the account. I had to use the API aws iam get-role call with AWS CLI in order to get the ROLE_ID.
- When using the AWS CLI lambda invoke, is there a way to pass environment variables?
- error: failed to solve: failed commit on ref : unexpected status: 400 Bad Request
- Is the fanout pattern using AWS SNS ans SQS reliable?
- API Gateway: JSON 5+ MB Gives error "413, Request Too Long"
- What are the deployment tools used in hybrid cloud
- Delete/Update DynamoDB entries with AWS API
- aws cli ec2 describe-instances table output
- Deploying a microservice with Tensorflow at AWS Lambda
- Issue when using Terraform to manage credentials that access RDS database
- Predictive Auto Scaling for AWS ECS Services
- vitejs build with jsx returning MIME error on aws amplify
- AWS API Gateway : Execution failed due to configuration error: No match for output mapping and no default output mapping configured
- Is there any way to Block request from Postman or other apps to call Restful API
- EC2 user permissions for var/www directory
- How can I recover deleted AWS Lambda code?
- How to discard changes in AWS lambda function inline editor?
- AWS equivalent for Azure Resourcegroup
- Lambda Function to Delete Object after interrogation of file, triggered by S3 Create event not deleting file
- AWS Java SDK v2.0: How to handle providing indexNames at runtime rather than using annotation
- How can I get all thing names from a thing group in AWS IoT Core using a Lambda function?
- AWS CloudFormation is stuck on DELETED_FAILED status
- count value depends on resource attributes that cannot be determined until apply in module
- GraphQL documentation strings (""") not showing up in AWS AppSync Documentation Explorer
- How to check if Python app is running within AWS lambda function?
- how to add raster data using mapbox gl js?
- AWS Application Load Balancer transforms all headers to lower case
- Aws cross-account backup copy and restoration failing due to insufficient privileges
- CDK - S3 notification causing cyclic reference error
- aws beanstalk 403 error while deploying
- Docker commands hanging with no response