mardi 21 avril 2015

S3 IAM Policy to access other account

We need to create an IAM user that is allowed to access buckets in our client's S3 accounts (provided that they have allowed us access to those buckets as well).

We have created an IAM user in our account with the following inline policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
               "s3:AbortMultipartUpload",
               "s3:PutObjectAcl",
               "s3:ListMultipartUploadParts",
               "s3:PutObject",
               "s3:ListBucketMultipartUploads",
               "s3:GetBucketLocation"
           ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

In addition to this, we will request that our clients use the following policy and apply it to their relevant bucket:

{
    "Version": "2008-10-17",
    "Id": "Policy1416999097026",
    "Statement": [
        {
            "Sid": "Stmt1416998971331",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::229569340673:user/our-iam-user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObjectAcl",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::client-bucket-name/*"
        },
        {
            "Sid": "Stmt1416999025675",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::229569340673:user/our-iam-user"
            },
            "Action": [
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::client-bucket-name"
        }
    ]
}

Whilst this all seems to work fine, the one major issue that we have discovered is our own internal inline policy seems to give full access to our-iam-user to all of our own internal buckets.

Have we mis-configured something, or are we missing something else obvious here?




Aucun commentaire:

Enregistrer un commentaire