0

I need to create an AWS IAM policy that prevents users from disabling the "Block all public access" configuration on S3 buckets, but still allows them to re-enable it if it was already disabled. I need to provide exemptions, when needed like exempting some accounts and buckets.

I initially tried this policy.

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDisablingBPAExceptExemptBucketsAndAccounts",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "NotResource": [
        "arn:aws:s3:::<bucketname>"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalAccount": [
            "account-id-1"
          ]
        },
       "StringEquals": {
          "s3:x-amz-public-access-block-enabled": "false"
        }
      }
    }
  ]
}

The condition key s3:x-amz-public-access-block-enabled is invalid in AWS.enter image description here

I need to,

  • Deny users from disabling the public access block settings
  • If Block Public Access (BPA) is already ON, no one should be able to turn it OFF.
  • If BPA is OFF, users should be allowed to turn it ON.

The above policy is disabling both the conditions. How can I construct an IAM policy that achieves this?

Improve this question

1 Answer 1

Reset to default
0

Use the S3 Public Access Block condition keys — not s3:x-amz-public-access-block-enabled (it doesn’t exist). Add an explicit Deny on s3:PutBucketPublicAccessBlock and s3:PutAccountPublicAccessBlock when any of these is false (use BoolIfExists):
s3:PublicAccessBlockConfiguration/BlockPublicAcls, /IgnorePublicAcls, /BlockPublicPolicy, /RestrictPublicBuckets.
Exempt accounts with aws:PrincipalAccount; exempt buckets via NotResource on their ARNs.

If you run into related issues around S3 Block Public Access behavior, this might help you:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.