Ggtcf

GraphicsGrid with a Label for each Column and Row

How much character growth crosses the line into breaking the character

Closed-form expression for certain product

What should you do if you miss a job interview (deliberately)?

Problem with TransformedDistribution

250 Floor Tower

When were female captains banned from Starfleet?

Yosemite Fire Rings - What to Expect?

How should I respond when I lied about my education and the company finds out through background check?

Why Shazam when there is already Superman?

What was this official D&D 3.5e Lovecraft-flavored rulebook?

Is it possible to have a strip of cold climate in the middle of a planet?

Why electric field inside a cavity of a non-conducting sphere not zero?

How to explain what's wrong with this application of the chain rule?

The screen of my macbook suddenly broken down how can I do to recover

WiFi Thermostat, No C Terminal on Furnace

How can we generalize the fact of finite dimensional vector space to an infinte dimensional case?

Create all possible words using a set or letters

Fear of getting stuck on one programming language / technology that is not used in my country

On a tidally locked planet, would time be quantized?

Not using 's' for he/she/it

Are the IPv6 address space and IPv4 address space completely disjoint?

Non-trope happy ending?

How do you respond to a colleague from another team when they're wrongly expecting that you'll help them?

Prevent access of S3 bucket for admin via console

Downloading an entire S3 bucket?Force Server Side Encryption for S3 BucketAccess Denied for new bucket with same IAM, Cognito, and permission configurationAllow admin access to sub_foldier in s3 bucket. Keep all other folders publicHow do I limit access to S3 Bucket for particular IAM Role?Unable to access anonymously uploaded S3 objects when authenticatedAWS IAM Policy to allow user access to specific S3 bucket for backupaws s3 Bucket policy not working as expectedAWS S3 bucket access controlaccess files from s3 bucket on client side meteor.js

0

I have some very highly confidential data that i want to store in s3 bucket.
I want to make policies ( bucket or iam whatever required) in such a way that no one ( not even admin) can read the contents of files in that bucket from aws console.
But i will have a program running on my host that needs to put and get data from that s3 bucket.
Also i will be using server side encryption of s3 but i can't use client side encryption of s3.

amazon-s3 aws-sdk amazon-iam aws-security-group

share|improve this question

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

add a comment | 

0

I have some very highly confidential data that i want to store in s3 bucket.
I want to make policies ( bucket or iam whatever required) in such a way that no one ( not even admin) can read the contents of files in that bucket from aws console.
But i will have a program running on my host that needs to put and get data from that s3 bucket.
Also i will be using server side encryption of s3 but i can't use client side encryption of s3.

amazon-s3 aws-sdk amazon-iam aws-security-group

share|improve this question

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

add a comment | 

I have some very highly confidential data that i want to store in s3 bucket.
I want to make policies ( bucket or iam whatever required) in such a way that no one ( not even admin) can read the contents of files in that bucket from aws console.
But i will have a program running on my host that needs to put and get data from that s3 bucket.
Also i will be using server side encryption of s3 but i can't use client side encryption of s3.

amazon-s3 aws-sdk amazon-iam aws-security-group

share|improve this question

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

share|improve this question

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

share|improve this question

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

asked Mar 8 at 4:56

Shubham BansalShubham Bansal

32

1 Answer
1

active

oldest

votes

0

You are looking for something like this;

 
 "Id": "bucketPolicy",
 "Statement": [
 
 "Action": "s3:*",
 "Effect": "Deny",
 "NotPrincipal": 
 "AWS": [
 "arn:aws:iam::111111111111:user/USERNAME",
 "arn:aws:iam::111111111111:role/ROLENAME"
 ]
 ,
 "Resource": [
 "arn:aws:s3:::examplebucket",
 "arn:aws:s3:::examplebucket/*"
 ]
 
 ],
 "Version": "2012-10-17"
 

For test purposes make sure you replace arn:aws:iam::111111111111:user/USERNAME with your user arn. So in case you lock out everybody you can at least perform actions on the bucket.

arn:aws:iam::111111111111:role/ROLENAME should be replaced by the role arn which is attached to your EC2 instance (I am assuming that is what you mean by host).

share|improve this answer

edited Mar 9 at 10:37

answered Mar 8 at 8:15

MC_MC_

303213

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Two problems: explicit deny cannot be overridden by explicit allow, and it is impossible to prevent the root credentials from deleting and then replacing a bucket policy, giving the root credentials a backdoor to the bucket.
  
  – Michael - sqlbot
  Mar 8 at 21:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot you are correct I missed the condition in the deny statement. I shall fix it in my answer soon.
  
  – MC_
  Mar 8 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot policy is updated. It only allows actions to the bucket for specified user/role.
  
  – MC_
  Mar 9 at 10:38
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55056948%2fprevent-access-of-s3-bucket-for-admin-via-console%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

You are looking for something like this;

 
 "Id": "bucketPolicy",
 "Statement": [
 
 "Action": "s3:*",
 "Effect": "Deny",
 "NotPrincipal": 
 "AWS": [
 "arn:aws:iam::111111111111:user/USERNAME",
 "arn:aws:iam::111111111111:role/ROLENAME"
 ]
 ,
 "Resource": [
 "arn:aws:s3:::examplebucket",
 "arn:aws:s3:::examplebucket/*"
 ]
 
 ],
 "Version": "2012-10-17"
 

For test purposes make sure you replace arn:aws:iam::111111111111:user/USERNAME with your user arn. So in case you lock out everybody you can at least perform actions on the bucket.

arn:aws:iam::111111111111:role/ROLENAME should be replaced by the role arn which is attached to your EC2 instance (I am assuming that is what you mean by host).

share|improve this answer

edited Mar 9 at 10:37

answered Mar 8 at 8:15

MC_MC_

303213

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Two problems: explicit deny cannot be overridden by explicit allow, and it is impossible to prevent the root credentials from deleting and then replacing a bucket policy, giving the root credentials a backdoor to the bucket.
  
  – Michael - sqlbot
  Mar 8 at 21:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot you are correct I missed the condition in the deny statement. I shall fix it in my answer soon.
  
  – MC_
  Mar 8 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot policy is updated. It only allows actions to the bucket for specified user/role.
  
  – MC_
  Mar 9 at 10:38
  

  
  
  
  

add a comment | 

0

You are looking for something like this;

 
 "Id": "bucketPolicy",
 "Statement": [
 
 "Action": "s3:*",
 "Effect": "Deny",
 "NotPrincipal": 
 "AWS": [
 "arn:aws:iam::111111111111:user/USERNAME",
 "arn:aws:iam::111111111111:role/ROLENAME"
 ]
 ,
 "Resource": [
 "arn:aws:s3:::examplebucket",
 "arn:aws:s3:::examplebucket/*"
 ]
 
 ],
 "Version": "2012-10-17"
 

For test purposes make sure you replace arn:aws:iam::111111111111:user/USERNAME with your user arn. So in case you lock out everybody you can at least perform actions on the bucket.

arn:aws:iam::111111111111:role/ROLENAME should be replaced by the role arn which is attached to your EC2 instance (I am assuming that is what you mean by host).

share|improve this answer

edited Mar 9 at 10:37

answered Mar 8 at 8:15

MC_MC_

303213

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Two problems: explicit deny cannot be overridden by explicit allow, and it is impossible to prevent the root credentials from deleting and then replacing a bucket policy, giving the root credentials a backdoor to the bucket.
  
  – Michael - sqlbot
  Mar 8 at 21:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot you are correct I missed the condition in the deny statement. I shall fix it in my answer soon.
  
  – MC_
  Mar 8 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Michael-sqlbot policy is updated. It only allows actions to the bucket for specified user/role.
  
  – MC_
  Mar 9 at 10:38
  

  
  
  
  

add a comment | 

You are looking for something like this;

 
 "Id": "bucketPolicy",
 "Statement": [
 
 "Action": "s3:*",
 "Effect": "Deny",
 "NotPrincipal": 
 "AWS": [
 "arn:aws:iam::111111111111:user/USERNAME",
 "arn:aws:iam::111111111111:role/ROLENAME"
 ]
 ,
 "Resource": [
 "arn:aws:s3:::examplebucket",
 "arn:aws:s3:::examplebucket/*"
 ]
 
 ],
 "Version": "2012-10-17"
 

For test purposes make sure you replace arn:aws:iam::111111111111:user/USERNAME with your user arn. So in case you lock out everybody you can at least perform actions on the bucket.

arn:aws:iam::111111111111:role/ROLENAME should be replaced by the role arn which is attached to your EC2 instance (I am assuming that is what you mean by host).

share|improve this answer

edited Mar 9 at 10:37

answered Mar 8 at 8:15

MC_MC_

303213

 
 "Id": "bucketPolicy",
 "Statement": [
 
 "Action": "s3:*",
 "Effect": "Deny",
 "NotPrincipal": 
 "AWS": [
 "arn:aws:iam::111111111111:user/USERNAME",
 "arn:aws:iam::111111111111:role/ROLENAME"
 ]
 ,
 "Resource": [
 "arn:aws:s3:::examplebucket",
 "arn:aws:s3:::examplebucket/*"
 ]
 
 ],
 "Version": "2012-10-17"
 

share|improve this answer

edited Mar 9 at 10:37

answered Mar 8 at 8:15

MC_MC_

303213

answered Mar 8 at 8:15

MC_MC_

303213

answered Mar 8 at 8:15

MC_MC_

303213