Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to deny s3 bucket access for an AWS account

Tags:

amazon-web-services

amazon-s3

amazon-iam

policy

I have an AWS account with ID 11111 and I would like to deny access to certain parts of an s3 bucket to the same account the bucket belongs to, even if the role accessing that object has full s3 access.

It is my understanding that setting a DENY rule on a s3 bucket policy should do that, so I tried the s3 policy below

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111111:root" }, "Action": [ "s3:PutObject", "s3:GetObjectVersion", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::mybucket/production/*" ] } ] }

However an ec2 machine in the same account as the s3 bucket with an iam role to allow full access to the bucket (s3:*) is still able to write/read to mybucket/production/*

Am I missing something? Shouldn't the DENY bucket rule take precedence? How does one handle this situation? I want to avoid having to remove the full access from the ec2 role but rather be able to deny on top of that.

like image 655
Alexandre Thenorio Avatar asked Jan 18 '26 19:01

Alexandre Thenorio

1 Answers

I believe the following is going on here:

  1. The account 111111 owns the S3 bucket and the IAM entity (in this case an IAM role).

  2. Since, the request is being made from an IAM role in the same account (bucket owner), S3 will only check the "User Context".

  3. While evaluating the "User Context", S3 will take into account:

    • Policies attached to the IAM role
    • Bucket policy
    • Bucket and Object ACL (if any)

  4. The request is allowed via the IAM role's permission policy and there is no explicit Deny for the IAM Role because the Principal in the bucket policy is actually for the "Root User" and NOT covering the IAM entities in 111111 account since both accounts (bucket owner and 111111) are same.

I tested this and using the similar policy my Root user cannot delete or upload objects into the bucket. However, root can gain access by deleting the bucket policy.

As @John Hanley mentioned, you can use the IAM role's as a principal to deny access in production "folder" but as the role has S3fullaccess, it can delete the bucket policy, so I'd recommend to deny that capability also.

like image 167
sudo Avatar answered Jan 21 '26 08:01

sudo
Sign in to Comment

Related questions

Lambda based Application on AWS marketplace

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!