Amazon: Deny access to Amazon S3 resources outside your account except Amazon Web Services Data Exchange
This example shows how you might create an identity-based policy that denies access to all resources in Amazon that don't belong to your
account, except for the resources that Amazon Web Services Data Exchange requires for normal
operation. To use this policy, replace the italicized placeholder text
in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
You can create a similar policy to restrict access to resources within an organization or an
organizational unit, while accounting for Amazon Web Services Data Exchange owned resources by using the condition keys
aws:ResourceOrgPaths
and aws:ResourceOrgID
.
If you use Amazon Web Services Data Exchange in your environment, the service creates and interacts with resources such
as Amazon S3 buckets owned by the service account. For example, Amazon Web Services Data Exchange sends requests to Amazon S3
buckets owned by the Amazon Web Services Data Exchange service on behalf of the IAM principal (user or role) invoking the
Amazon Web Services Data Exchange APIs. In that case, using aws:ResourceAccount
,
aws:ResourceOrgPaths
, or aws:ResourceOrgID
in a policy, without
accounting for Amazon Web Services Data Exchange owned resources, denies access to the buckets owned by the service
account.
-
The statement,
DenyAllAwsResourcesOutsideAccountExceptS3
, uses theNotAction
element with the Deny effect which explicitly denies access to every action not listed in the statement that also do not belong to the listed account. TheNotAction
element indicates the exceptions to this statement. These actions are the exception to this statement because if the actions are performed on resources created by Amazon Web Services Data Exchange, the policy denies them. -
The statement,
DenyAllS3ResoucesOutsideAccountExceptDataExchange
, uses a combination of theResourceAccount
andCalledVia
conditions to deny access to the three Amazon S3 actions excluded in the previous statement. The statement denies the actions if resources do not belong in the listed account and if the calling service is not Amazon Web Services Data Exchange. The statement does not deny the actions if either the resource belongs to the listed account or the listed service principal,dataexchange.amazonaws.com
, performs the operations.
Important
This policy does not allow any actions. It uses the Deny
effect which
explicitly denies access to all of the resources listed in the statement that do not belong to
the listed account. Use this policy in combination with other policies that allow access to
specific resources.
The following example shows how you can configure the policy to allow access to the required Amazon S3 buckets.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllAwsReourcesOutsideAccountExceptAmazonS3", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": [ "
111122223333
" ] } } }, { "Sid": "DenyAllS3ResourcesOutsideAccountExceptDataExchange", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": [ "111122223333
" ] }, "ForAllValues:StringNotEquals": { "aws:CalledVia": [ "dataexchange.amazonaws.com" ] } } } ] }