AWS IAM Policy for Service User S3 Access
As a “security custodian” for some of my company’s AWS accounts, I review requests for what we call “service users,” including the AWS IAM Policy documents attached to those users. I prefer these to meet the Principle of least privilege but demand they are not overly aggressive. Recently, I received this proposed policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}I replied that this would grant access to all S3 buckets and the Resource clause needed to be restricted to a specific bucket. The requesting team responded with:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-bucket-name"
]
}
]
}I realized I should have sent a link to Actions, Resources, and Condition Keys for Amazon S3 because some S3 Actions apply to S3 Buckets and other to S3 Objects. The ARN syntax for S3 Objects requires a slash ( / ) after the bucket name, where /* is the syntax for all objects. The policy below includes a Resource array that includes both the Bucket and all the Objects.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-bucket-name",
"arn:aws:s3:::project-bucket-name/*"
]
}
]
}Strictly speaking, the above syntax includes some Action and Resource combinations that are not valid, but I feel it is more readable (and smaller in size) than the more correct syntax.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-bucket-name/*"
]
}
]
}