I am trying to protect a folder in my s3 architecture and only allow access to the web app using an AWS access key
company
production
development
private
If I put a DENY access directly on the private folder, then that DENY statement overrides all other bucket policies or IAM policies set for the web app. Even if the web app has full admin access through an IAM policy, it will not be able to access the private folder if there is a DENY statement on that folder in the bucket policy.
I have tried the following bucket policy, but it still allows an anonymous user to look at files in the protected folder.
I thought all folders in a bucket are private unless stated in the bucket policy?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::company/production/*"
},
{
"Sid": "allow access to private files in the private folder",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::88888888888:user/web_app"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::company/*"
}
]
}
Aucun commentaire:
Enregistrer un commentaire