S3 Bucket Policy to deny all except for IAM Role
February 1, 2017
Effectively deny * for everyone except for a IAM Role/User and deny {Delete,GetObject,ListBucket} for IAM Role/User
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyEverythingforEveryoneExceptIAMRole/User", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::BUCKETNAME", "arn:aws:s3:::BUCKETNAME/*" ], "Condition": { "StringNotLike": { "aws:arn": [ "arn:aws:iam::123456789012:user/*", "123456789012" ] } } }, { "Sid": "DenyUserforDeleteGetList", "Effect": "Deny", "Principal": "arn:aws:iam::123456789012:user/IAM_USER", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::BUCKETNAME/*" ] } ] } |