Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Identity Policy for S3 Buckets

0

I am looking for a solution to below problem,

Problem Statement -: Within an AWS Account, there will be multiple buckets lets say 100 S3 General Purpose Buckets. Out of 100, lets say 20 have PII data and are tagged using key "data-type" = pii and rest are non pii. I need to create one IAM Identity Policy granting access to only NonPII buckets ( to list,get,put ) and another IAM Identity Policy granting access to only PII buckets.

Is there a way to create such policies?

Currently I can see I can create for all buckets or specific list of buckets manually added to the Resource List in the policy ( but that means I will have to update the policy everytime a new bucket is created ).

I tried using condition on aws:ResourceTag but it looks to be unsupported in case of S3.

I suppose wildcards / patterns also doesn't work in Policies.

Is there even a way or is it not?

Topics
StorageSecurity, Identity, & Compliance
Tags
IAM PoliciesAmazon Simple Storage Service
Language
English
asked 2 months ago58 views
2 Answers
0

You're facing a common challenge with S3 access management based on bucket tags. Unfortunately, Amazon S3 does not support using the aws:ResourceTag condition key for bucket-level operations. This means you cannot create a single policy that dynamically grants access to buckets based on their tags.

Here are your options:

  1. Automated Policy Management: Set up an automated process (using AWS Lambda, for example) that monitors bucket creation events and updates the relevant IAM policies when new buckets are created with the appropriate tags. This would maintain separate policies for PII and non-PII buckets.

  2. S3 Access Points: Consider using S3 Access Points, which can provide distinct access control for different use patterns on your buckets. You could create separate access points for PII and non-PII data.

  3. S3 Access Grants: This feature allows you to create grants for access to S3 data, which might help with your use case.

  4. Object-Level Tagging: While bucket-level tag conditions don't work, you can use tag-based access control at the object level. If your PII data is organized at the object level rather than entire buckets, you could use policies that restrict access based on object tags.

  5. Naming Convention + Wildcards: If you can establish a naming convention for your buckets (e.g., all PII buckets start with "pii-" and non-PII with "nonpii-"), you could use wildcards in the resource element of your policies:

"Resource": [
"arn:aws:s3:::nonpii-*/*",
"arn:aws:s3:::nonpii-*"
]

Unfortunately, there isn't a simple way to create a dynamic policy that automatically includes or excludes buckets based on their tags. You'll need to either manually update policies, automate the policy updates, or reorganize your approach to S3 data management.
Sources
Identity-based policies for Amazon S3 - Amazon Simple Storage Service
Amazon S3: Restrict management to a specific S3 bucket - AWS Identity and Access Management
Use IAM policies with tag based access-control to restrict access to an S3 bucket | AWS re:Post
Access control in Amazon S3 - Amazon Simple Storage Service

answered 2 months ago
AWS
EXPERT
reviewed 2 months ago
0

Assuming you have an identifier on your users like a Tag PII:true you could on organizational level block access to all buckets that start with pii- with an SCP as wildcards in the path work:

"Statement": [ { "Sid": "DenyS3AccessWithoutPIITag", "Effect": "Deny", "Action": [ "s3:" ], "Resource": [ "arn:aws:s3:::pii-/", "arn:aws:s3:::pii-" ], "Condition": { "StringNotEquals": { "aws:PrincipalTag/PII": "true" } } } ]

AWS
answered 2 months ago

Relevant content