1

My company has a root AWS account and child accounts. I don't have access to the root account, so I can't tell with detail what is the exact hierarchy. Users are managed through IAM Identity Center in the root account, and from there we select which child accounts the users can access.

In one of these child accounts, we need to implement restricted access for an S3 bucket: some users must have access to the S3 bucket, while everyone else & public access will be denied.

Following this reference, I am trying to use the following policy to test the behavior:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:federated-user/user1"
            },
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::test-bucket/*"
        }
    ]
}

The policy was attached to the bucket using the web console. It's not working, because user1 is still able to delete objects in the bucket. Switching the CHILD_ACCOUNT_NUMBER for the root account number also has no effect.

This also doesn't work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:sts::CHILD_ACCOUNT_NUMBER:assumed-role/AWSReservedSSO_AdministratorAccess_xxxxxxxxxx/user1"
            },
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::test-bucket/*"
        }
    ]
}

because the console outputs:

Improve this question
2
  • 1
    If you have CloudTrail enabled, can you see what IAM principal ARN actually deleted the object? Commented May 13 at 18:24
  • @jarmod thanks for the CloudTrail tip. I was able to identify the IAM principal ARN and to determine the correct format. Will post the solution. Commented May 14 at 0:27

1 Answer 1

Reset to default
1

Thanks to @jarmod CloudTrail tip, I was able to accomplish what I was trying to do.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::test-bucket",
                "arn:aws:s3:::test-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "ROLE_ID:user1",
                        "ROLE_ID:user2"
                    ]
                }
            }
        }
    ]
}

where ROLE_ID is the ID of the role the users assume when logging into the account. I had to use the API aws iam get-role call with AWS CLI in order to get the ROLE_ID.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You might also be able to simply set a condition on identitystore:UserId.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.