amazon-web-servicesamazon-s3amazon-iamaws-iam-identity-center

How to provide S3 bucket access to specific IAM Identity Center (AWS SSO) users while blocking access from other users?


My company has a root AWS account and child accounts. I don't have access to the root account, so I can't tell with detail what is the exact hierarchy. Users are managed through IAM Identity Center in the root account, and from there we select which child accounts the users can access.

In one of these child accounts, we need to implement restricted access for an S3 bucket: some users must have access to the S3 bucket, while everyone else & public access will be denied.

Following this reference, I am trying to use the following policy to test the behavior:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:federated-user/user1"
            },
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::test-bucket/*"
        }
    ]
}

The policy was attached to the bucket using the web console. It's not working, because user1 is still able to delete objects in the bucket. Switching the CHILD_ACCOUNT_NUMBER for the root account number also has no effect.

This also doesn't work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:assumed-role/AWSReservedSSO_AdministratorAccess_xxxxxxxxxx/user1"
            },
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::test-bucket/*"
        }
    ]
}

because the console outputs:


Solution

  • Thanks to @jarmod CloudTrail tip, I was able to accomplish what I was trying to do.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::test-bucket",
                    "arn:aws:s3:::test-bucket/*"
                ],
                "Condition": {
                    "StringNotLike": {
                        "aws:userId": [
                            "ROLE_ID:user1",
                            "ROLE_ID:user2"
                        ]
                    }
                }
            }
        ]
    }
    

    where ROLE_ID is the ID of the role the users assume when logging into the account. I had to use the API aws iam get-role call with AWS CLI in order to get the ROLE_ID.