0

Basically, this policy is for AWS Transfer Family. I need to deny all access to a specific folder inside the S3 bucket. I tried the below policy, but still I was able to list the contents of the folder. But it was denied for PUT and DELETE operations.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:GetBucketAcl"
      ],
      "Resource": [
        "arn:aws:s3:::${bucket_name}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersionTagging",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::${bucket_name}/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "s3:*"
        ],
      "Resource": [
        "arn:aws:s3:::${bucket_name}/app/restricted",
        "arn:aws:s3:::${bucket_name}/app/restricted/*"
      ]
    }
  ]
}

Expected: aws s3 ls s3://sample_bucket/app/restricted/data - Access Denied

Behaviour: aws s3 ls s3://sample_bucket/app/restricted/data - Listing all the contents of the folder

Ravichandran
  • 427
  • 1
  • 3
  • 16

1 Answers1

1

The ListBucket operation (which lists objects within a bucket) is a bucket-level permission, so it ignores the path in the supplied Resource.

Instead, you can specify the path in a Condition parameter.

From Amazon S3 Bucket: Deny List, Read, Write to specific folder - Stack Overflow:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::${bucket_name}",
      "Condition": {
        "StringLike": {
          "s3:prefix": "app/restricted/*"
        }
      }
    }
  ]
}

This will Deny listing the contents of the bucket when the prefix is app/restricted/*. Add this statement to your existing policy, since it specifically applies to ListBucket. Keep your existing Deny statement since it applies to other operations, such as GetObject and PutObject (which do accept paths in the resource).

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Initially, I tried this condition block, but it's denying only the list action and was able to upload and download files. Do you want me to apply both the policy statement to deny all the actions? – Ravichandran Nov 08 '22 at 22:23
  • Yes. The above is specifically restricting the `ListBucket` operation, which uses a Prefix Condition. To deny Get/Put, you will still need a Deny policy that refers to the path in the Resource. Apply both. – John Rotenstein Nov 08 '22 at 22:38
  • Is that not possible to deny the other actions on the same condition block statement? – Ravichandran Nov 09 '22 at 08:35
  • I'm not sure what you're asking, but the `Condition` above is specific to `ListBucket`. This page explains which Actions allow Conditions: [Actions, resources, and condition keys for Amazon S3 - Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) – John Rotenstein Nov 09 '22 at 09:02
  • I'm asking if the `Condition` supports only the `ListBucket` action. I thought of having a single `Deny` statement if it helps. – Ravichandran Nov 09 '22 at 09:31
  • No. The `ListBucket` operates on the bucket, so you shouldn't put the path in the Resource. It needs to be a separate statement to keep both parts working. By the way, I highly recommend avoiding the use of `Deny` whenever possible -- it can lead to some unexpected behaviours, such as blocking _your_ ability to list that folder. It is always preferable to limit what is given in the `Allow` statement, if possible. – John Rotenstein Nov 09 '22 at 09:38
  • Understood and you are correct. When I apply the two `Deny` statements, the entire bucket was denied. Eventually, I need to `Deny` `ListObject`, `GetObject`, and `PutObject` to a specific folder `app/restricted/*` – Ravichandran Nov 09 '22 at 10:05
  • If you need to deny access to Admins and people who normally have access to _every_ bucket, an alternative approach is to create the S3 bucket **in a different AWS Account**. Then, _nobody_ will have access unless specifically granted. – John Rotenstein Nov 09 '22 at 10:19
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/249445/discussion-between-ravichandran-and-john-rotenstein). – Ravichandran Nov 09 '22 at 10:21