Effective IAM for AWS
Appendix - Least privilege S3 bucket policy
Appendix - Least privilege S3 bucket policy
This is the complete least privilege S3 bucket policy for the 'simple' application described in Control Access to Any Resource.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRestrictedAdministerResource", "Effect": "Allow", "Action": [ "s3:PutReplicationConfiguration", "s3:PutObjectVersionAcl", "s3:PutObjectRetention", "s3:PutObjectLegalHold", "s3:PutObjectAcl", "s3:PutMetricsConfiguration", "s3:PutLifecycleConfiguration", "s3:PutInventoryConfiguration", "s3:PutEncryptionConfiguration", "s3:PutBucketWebsite", "s3:PutBucketVersioning", "s3:PutBucketTagging", "s3:PutBucketRequestPayment", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketNotification", "s3:PutBucketLogging", "s3:PutBucketCORS", "s3:PutBucketAcl", "s3:PutAnalyticsConfiguration", "s3:PutAccelerateConfiguration", "s3:DeleteBucketWebsite", "s3:DeleteBucketPolicy", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "*" }, "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::111:user/ci", "arn:aws:iam::111:role/admin" ] } } }, { "Sid": "AllowRestrictedReadData", "Effect": "Allow", "Action": [ "s3:ListMultipartUploadParts", "s3:ListBucketVersions", "s3:ListBucketMultipartUploads", "s3:ListBucket", "s3:GetObjectVersionTorrent", "s3:GetObjectVersionTagging", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersion", "s3:GetObjectTorrent", "s3:GetObjectTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold", "s3:GetObjectAcl", "s3:GetObject", "s3:GetMetricsConfiguration", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetEncryptionConfiguration", "s3:GetBucketWebsite", "s3:GetBucketVersioning", "s3:GetBucketTagging", "s3:GetBucketRequestPayment", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:GetBucketPolicy", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketNotification", "s3:GetBucketLogging", "s3:GetBucketLocation", "s3:GetBucketCORS", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "*" }, "Condition": { "ArnEquals": { "aws:PrincipalArn": [ "arn:aws:iam::111:role/cust-service", "arn:aws:iam::111:role/app" ] } } }, { "Sid": "AllowRestrictedWriteData", "Effect": "Allow", "Action": [ "s3:RestoreObject", "s3:ReplicateTags", "s3:ReplicateObject", "s3:ReplicateDelete", "s3:PutObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObject", "s3:PutBucketTagging", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "*" }, "Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::111:role/app" } } }, { "Sid": "AllowRestrictedDeleteData", "Effect": "Allow", "Action": [ "s3:DeleteObjectVersionTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectTagging", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::sensitive-app-data/*", "Principal": { "AWS": "*" }, "Condition": { "ArnEquals": { "aws:PrincipalArn": [] } } }, { "Sid": "AllowRestrictedCustomActions", "Effect": "Allow", "Action": "s3:GetAnalyticsConfiguration", "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "*" }, "Condition": { "ArnEquals": { "aws:PrincipalArn": [] } } }, { "Sid": "DenyEveryoneElse", "Effect": "Deny", "Action": "s3:*", "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "111" }, "Condition": { "ArnNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::111:user/ci", "arn:aws:iam::111:role/cust-service", "arn:aws:iam::111:role/app", "arn:aws:iam::111:role/admin" ] } } }, { "Sid": "DenyInsecureCommunications", "Effect": "Deny", "Action": "s3:*", "Resource": [ "arn:aws:s3:::sensitive-app-data/*", "arn:aws:s3:::sensitive-app-data" ], "Principal": { "AWS": "*" }, "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "DenyUnencryptedStorage", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::sensitive-app-data/*", "Principal": { "AWS": "*" }, "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } }, { "Sid": "DenyStorageWithoutKMSEncryption", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::sensitive-app-data/*", "Principal": { "AWS": "*" }, "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } } ]}