(WARNING) Block All S3 Access Except Root

Feb 01, 2022

0

Share this article

{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

1{
2      "Version" : "2012-10-17",
3      "Statement" : [
4        {
5          "Sid" : "WARNINGBlockAdminConsoleAndApi",
6          "Action" : ["s3:*"],
7          "Effect" : "Deny",
8          "Principal" : "*",
9          "Resource" : ["arn:aws:s3:::{{bucket-name}}"],
10          "Condition" : {
11            "StringNotEquals" : {
12              "s3:prefix" : "arn:aws:iam::1234567890:user/{{remote-user-name}}"
13            }
14          }
15...
DOC

Be careful with this policy - it uses a conditional to block access to everyone who isn't a specific IAM user, which includes all admin users except the root user. If root is unavailable, TAC can help recover, but they intentionally take time to verify your identity, which can take weeks.

    img

    Related Policies

    POLICY

    AWS ECR Resource Policy: Block Outside Specific Public IP Ra...

    Permits connection from only a specific public IP range

    Amazon Web ServicesAWS Elastic Container Registry (ECR)

    Mar 07, 2022

    0
    POLICY

    AWS ECR: Permit Cross Account Image Upload

    Grant n AWS accounts, any principal, to connect to ECR resource and upload image...

    Amazon Web ServicesAWS Elastic Container Registry (ECR)

    Mar 07, 2022

    0
    POLICY

    AWS ECR, Permit Cross Account Image Download

    Grant n other accounts access to this ECR, account-wide. Use more specific princ...

    Amazon Web ServicesAWS Elastic Container Registry (ECR)

    Feb 16, 2022

    0
    img

    Join the beta waitlist

    Enter your email to get notified when our product becomes available to try.

    Sign Up for the community

    Create your member profile to get involved with our content, programs, and events.