Question:
I’m working on an S3 bucket policy. The idea is to explicitly deny access to all IAM users within the account, except for those explicitly granted.
I found a blog post that explains how to restrict access to a specific user. It works well. However, I want to extend the syntax to include a second IAM user that will be allowed access. This is, in effect, an OR condition.
But, I’ve very new to JSON, and I’m not sure how to go about that.
Here is the policy that works for restricting access to a single user:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ], "Condition": { "StringNotLike": { "aws:userId": [ "AIDA "AIDA "111111111111" ] } } } ] } |
Can anyone help me edit the above JSON to allow for an OR condition where I could specify an additional userid that would be allowed access?
AdvThanksance!
Answer:
Ok, I figured this out.
First, I tried adding a second StringgNotLike clause to the Condition, but that didn’t work.
After doing as bit more reading, I realized the Condition clause accepts multiple key/value pairs. In fact, the original policy I showed in my question already did that. I just needed to add more values to the array that was already there.
The policy that works, looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-private-bucket", "arn:aws:s3:::my-private-bucket/*" ], "Condition": { "StringNotLike": { "aws:userId": [ "AIDA "AIDA "AIDA "AIDA "111111111111" ] } } } ] } |
When I realized that the key had already specified an array of values, I just added the second user id to the array, and it worked great.