Feb 01, 2022

(WARNING) Block All S3 Access Except Root

Amazon Web Services Amazon S3
0
0
Kyler Middleton
Kyler MiddletonCloud IAM Advocate at IAM Pulse
{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

1{
2      "Version" : "2012-10-17",
3      "Statement" : [
4        {
5          "Sid" : "WARNINGBlockAdminConsoleAndApi",
6          "Action" : ["s3:*"],
7          "Effect" : "Deny",
8          "Principal" : "*",
9          "Resource" : ["arn:aws:s3:::{{bucket-name}}"],
10          "Condition" : {
11            "StringNotEquals" : {
12              "s3:prefix" : "arn:aws:iam::1234567890:user/{{remote-user-name}}"
13            }
14          }
15...
DOC

Be careful with this policy - it uses a conditional to block access to everyone who isn't a specific IAM user, which includes all admin users except the root user. If root is unavailable, TAC can help recover, but they intentionally take time to verify your identity, which can take weeks.

    Get the IAM Pulse Check Newsletter

    We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

    Checkout past issues for a sampling of the goods.