Replies: 1 comment 2 replies
-
|
I am not sure if bucket policy with IAM User as a condition is a good idea but looks like you are trying to define a bucket policy with condition for a specific IAM user created by CDK? According to this, I think you should be able to reference to the |
Beta Was this translation helpful? Give feedback.
-
|
Hi @pahud, thanks for answering! to give more context about my issue, I'm working on a template for deploying buckets for a Datalake, the idea is to have the buckets only with permissions for a user created under the same stack, (the datalake admin) and for certain roles that lambdas and glueJobs will assume, to read from/ and write to these specific buckets, the idea is deny any other entity outside of the scope to get data from these buckets, even with administrator access roles. I've come across a partial solution which is writing the policy as follows new PolicyStatement({
effect: Effect.DENY,
principals: [new AnyPrincipal()],
actions: [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:PutObjectAcl"
],
resources: [
...resources // list of resources (bucket and content)
],
conditions:{
StringNotLike:{
"aws:userId":[
...ids // this receives a list of resourceIds (roles)
],
"aws:username":[
...userNames //since I can't access the userId from CDK, a workaround is to use the username
]
}
}
})
It's not ideal, but it does the job. (kind of) I'll update here if a can come up with a better solution in a few days! the ARNs work for users, my problem there goes when I try to pass ROLE ARNs, since they mutate when assumed by lambdas. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for sharing your use case. I probably would consider to create a |
Beta Was this translation helpful? Give feedback.
-
Hi! I'm creating a stack that contains certain buckets that are meant to be seen/ used only by a certain list of users / resources, based on this guide: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
I've used the following policy as a test for the roles:
{ "Effect": "Deny", "Principal": "*", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucket-policy-test-ever-do-not-delete", "arn:aws:s3:::bucket-policy-test-ever-do-not-delete/*" ], "Condition": { "StringNotLike": { "aws:userId": [ "AROAXXXXXXXXXXXXXXXXX:*" ] } } }It works for the roles created with CDK since I can access the role id with the following
However, it seems that I can't do the same with the users created directly with CDK
I can access to the user id after it has been created with
which returns the following:
{ "UserId": "AIDAXXXXXXXXXXXXXXXXX", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/user_created_with_cdk" }Is there a way to get access to the User id created with CDK for the bucket policy?
A custom resource maybe?
EXTRA INFO:
I tried to apply a bucket policy based only on the ARNs, but it doesn't seem to work, but that is an entirely different issue. 😁
the bucket policy based on arns: (that doesn't work) is the following:
{ "Sid": "xxx", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:iam::123456789012:role/CredMgr", "arn:aws:iam::123456789012:user/user_created_with_cdk", ] }, "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucket-policy-test-ever-do-not-delete", "arn:aws:s3:::bucket-policy-test-ever-do-not-delete/*" ] }Beta Was this translation helpful? Give feedback.
All reactions