Bucket policy to block all access except for a list of users with varying access restrictions

Question

Need help formulating a complex bucket policy -

I own a s3 bucket with highly sensitive content in an AWS account that I do not administer. I wish to introduce a bucket policy to prevent undesired access, including by users with permissive s3 access IAM policies (which I cannot control because I'm not the account admin).

My bucket policy is currently blocking all access except for my own IAM user - it looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<my-bucket-name>",
                "arn:aws:s3:::<my-bucket-name>/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "<my IAM userId>",
                        "<my AWS AccountId>"
                    ]
                }
            }
        }
    ]
}

This works fine, but now I need to add permissions for certain roles to be able to read/write anywhere in their respective folder under the root folder, so the bucket policy needs to allow the following (and block anything else):

1. allow my own IAM user full access to manage the bucket and its entire content
2. Allow roleA read/write access to their respective folder folderA under the root folder
3. Allow roleB read/write access to their respective folder folderB under the root folder

Can someone advise how best to acheive this outcome?

Answer 1

This will work assuming that you do not have any files on the root of the bucket, if you have files on the root of the bucket anyone with access to folder1 or folder2 will have access to them too.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyBucketAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<my-bucket-name>",
                "arn:aws:s3:::<my-bucket-name>/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "<my IAM userId>",
                        "<roleA unique ID>",
                        "<roleB unique ID>",
                    ]
                }
            }
        },
        {
            "Sid": "DenyFolderAAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<my-bucket-name>/folderA/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "<my IAM userId>",
                        "<roleA unique ID>",
                    ]
                }
            }
        },
        {
            "Sid": "DenyFolderBAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<my-bucket-name>/folderB/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "<my IAM userId>",
                        "<roleB unique ID>",
                    ]
                }
            }
        }
    ]
}

To get an IAM role Unique ID you can do so by using the following command

aws iam get-role --role-name RoleAName --query Role.RoleId --output text

or if you do not have IAM permission, you can ask someone with Role A access to do

aws sts get-caller-identity --query UserId --output text

And copy paste anything before the ":"

Example

AROA1234567890EXAMPLE:[email protected] -> Copy the AROA1234567890EXAMPLE