How can an SCP allow users to create buckets but deny making them public?

587 views Asked by At

I want to prevent the users in my organization from creating public buckets as well as changing existing buckets to give them any public access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3-whitelist",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        /* many others, but not:           */
        /* "s3:PutBucketPublicAccessBlock" */
      ],
      "Resource": "*"
    },
    {
      "Sid": "s3-explicit-deny",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock"
      ],
      "Resource": "*"
    }
  ]
}

The second block ist just for good measure but as far as I can tell it does not add any value. With the SCP my users cannot change any existing non-public bucket into a public one, nor the other way around (that's ok). But they can still create new Buckets and in the dialog they can uncheck 'Block all public access' and thus create public buckets. But I cannot deny them s3:CreateBucket alltogether, because should be able to create buckets as long as they are non-public. So I guess I need to only allow s3:CreateBucket under the condition that the user has set the checkmark on 'Block all public access'. But how can I express that in the scp?

0

There are 0 answers