Nick Littrell Nick Littrell - 29 days ago 11
JSON Question

How to structure IAM power user to have read-only access to an S3 bucket?

(background) Currently I am trying to make a general policy for anyone who needs an account at my company so that they have access to anything they need on AWS except the ability to change their own permissions. The idea there is to give them the managed policy "PowerUserAccess". Also, in their account, they will have an S3 bucket with billing permissions, "arn:aws:s3:::c3-uits-s3".

(problem) I have try to make this s3 bucket read only, so that they can see/download their billing, but not be able to upload/delete from the bucket. My first attempt was to

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}


deny every action but Get* and List* but with those permissions I was still able to upload/delete, so I tried to get only the necessary permissions from there to only view and do nothing else and I came up with

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}


Which still had the same effect of being able to upload/delete. Another variation I tried was

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}


and

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}


any help or pointers in the right direction would be greatly appreciated!

Answer

The Resource for a bucket is "arn:aws:s3:::bucket-name" but the Resource for the objects in a bucket is "arn:aws:s3:::bucket-name/*".

You aren't denying any operations on objects, here.