A Simple Bucket Policy Trick for AWS S3 Buckets; Deny All, Except One Federated User
One of the basic principles of cloud security is the Principle of Least Privilege. The idea is simple: give every user or process the minimal amount of permissions that are required to get job done.
Let’s say you’d like the following:
- Access Granted;
- To a Particular AWS S3 Bucket;
- To a Single Federated User (or more!);
- AND, you’d also like to deny access to all other users
How do you go about doing that? Well ordinarily what’s a simple undertaking is a bit monkey wrench’d by the issues posed by Federated users.
At time of writing, if you were to seek an answer to this odd requirement you won’t quite find documentation to lend a hand, so here’s the solution:
For your Federated user or user(s) you’ll need to identify the session name being used when an ‘AssumeRoleWithSAML’ API call is made via your Federated user.
Why? Well, if we try to approach this with the typical IAM Role Policy approach the permissions to assigned may be imprecise because multiple federated users outside of the scope of your intent could be utilizing the same IAM Role as your target user or user(s).
Once you trace the request(s) and identify the session name of your Federated user or user(s), write it all out in this format to prepare for your Bucket Policy:
With that in hand, the below is the complete bucket policy to block all users from getting into a particular S3 Bucket except the Federated user or user(s) you, the administrator, specify:
Apply the Bucket Policy! (Note: Always be sure to test new bucket policies on a test S3 Bucket, don’t apply this to your main target right away!)
And, just like that (hopefully) your monkey wrench has been removed.