Return
-
Title
How to limit permissions to a specific Amazon S3 container -
Description
This KB demonstrates an example of a JSON policy that can be used to limit an Amazon user to manage a specific S3 container. Amazon allows managing access by creating policies and attaching them to IAM users, groups, or roles.
In this example, an IAM resource-based policy is used in order to limit access to a specific container by explicitly deny all operations that require other Amazon services or containers.
-
Resolution
In order to create a new AWS IAM Policy, please follow these steps:
- Access the management console and then browse to the "Security, Identity, & Compliance" section.
- Click on IAM (Identity and Access Management)
- In the Access Management section, click on Policies.
- Click on Create Policy.
- Switch to the JSON tab, and then paste the provided code.
- Modify the name of the buckets to match the existing S3 container that will be used for the archive.
- Once done, click on Review Policy to continue.
- Provide a Name and a Description (optional) for the IAM Policy and then click on Create.
Once this policy has been created, it is required to attach this new policy to an existing user or create a new user for this policy.
The JSON policy is included below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::BUCKETNAME", "arn:aws:s3:::BUCKETNAME/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::BUCKETNAME", "arn:aws:s3:::BUCKETNAME/*" ] } ] }- The ListMyBuckets action is required as Rapid Recovery requires enough access to gather a list of available S3 containers.
- All S3 operations are allowed for the specific resource, in this case, the S3 container called BUCKETNAME.
- All other AWS services are explicitly denied.
- All other S3 operations that are not meant for the S3 container called BUCKETNAME are explicitly denied.