Inspired by this AWS blog post : How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
Goal:
Build a storage for sensitive security logs using S3 bucket.
Restrictions:
custom bucket policy
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OnlyForInfosecEyes",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:GetObject*", "s3:Delete*", "s3:PutObjectAcl", "s3:PutObjectVersionAcl"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"StringNotLike": {
"aws:userId": "InfosecGroupUserIDs"
}
}
},
{
"Sid": "OnlyServerAllowToPut",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:PutObject"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"StringNotLike": {
"aws:userId": "SeverIAMRoleID:*"
}
}
},
{
"Sid": "EnforceEncryption",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:PutObject"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "EnforceMFADelete",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:Delete*"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
}
]
}
Where:
InfosecGroupUserIDs - list of IAM infosec users' IDs (aws iam get-user -–user-name USER-NAME)
SeverIAMRoleID:* - ID of the IAM role used by the your EC2 server instances with ":*" added to cover all instances in this role (aws iam get-role -–role-name ROLE-NAME.)
Goal:
Build a storage for sensitive security logs using S3 bucket.
Restrictions:
- EC2 instances could only upload logs.
- Infosec team could only download logs and (just for this particular case) delete them with MFA .
- All other user must not have any access despite whatever mentioned in their IAM policies.
custom bucket policy
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OnlyForInfosecEyes",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:GetObject*", "s3:Delete*", "s3:PutObjectAcl", "s3:PutObjectVersionAcl"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"StringNotLike": {
"aws:userId": "InfosecGroupUserIDs"
}
}
},
{
"Sid": "OnlyServerAllowToPut",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:PutObject"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"StringNotLike": {
"aws:userId": "SeverIAMRoleID:*"
}
}
},
{
"Sid": "EnforceEncryption",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:PutObject"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "EnforceMFADelete",
"Effect": "Deny",
"Principal":"*",
"Action": ["s3:Delete*"],
"Resource": "s3-top-secret-bucket/*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
}
]
}
Where:
InfosecGroupUserIDs - list of IAM infosec users' IDs (aws iam get-user -–user-name USER-NAME)
SeverIAMRoleID:* - ID of the IAM role used by the your EC2 server instances with ":*" added to cover all instances in this role (aws iam get-role -–role-name ROLE-NAME.)