I have tried to deny overall access, and then give specific access to a provided user which happens to be the application. I am executing PUT and GET requests using the AWS service API.
I have tried the following, but since I have a deny GET on all users, it will not let the allowed user do a GET request either even though it is stated in the policy.
Is there a better way to this where I deny all access to everyone except specified users?
{
"Sid": "force deny access to private folder",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/apptest/*"
},
{
"Sid": "allow s3 uplaod and conversion using aws-sdk",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/user_name"
},
"Action": [
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:RestoreObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:PutObject",
"s3:GetObjectVersionAcl"
],
"Resource": "arn:aws:s3:::bucket/apptest/*"}
Aucun commentaire:
Enregistrer un commentaire