AWS S3 bucket policy to deny all except specific IAM Roles,IAM user ID and AWS root account

Scenario: S3 bucket policy to deny all except specific IAM Roles,IAM user ID's and AWS root account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3-User-Access",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
            "arn:aws:s3:::ge0001/*",
            "arn:aws:s3:::ge0001"
            ],
            "Condition": {
                "ForAnyValue:StringNotLike": {
                     "aws:userid": ["AIDXxxxxx2333","AROAxxxxxx1111:*","AROAxxxxxxx33322:*","011223344332"]
                }
            }
        }
    ]
}


Note:
  • AIDXxxxxx2333            – IAM user ID “test”                              –>     To get User ID, < aws iam list-users> 
  • AROAxxxxxx1111        – IAM role “EMR_DefaultRole”             –>     To get Role ID, < aws iam list-roles> 
  • AROAxxxxxxx33322   – IAM role “EMR_EC2_DefaultRole”     ->     To get Role ID, < aws iam list-roles> 
  • 011223344332               – AWS root account                               –>    To get root account ID, Login to console and check right corner

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>