Preventing cross-environment Amazon S3 bucket access - Amazon Elastic Beanstalk
Example of scoped down permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Preventing cross-environment Amazon S3 bucket access

Elastic Beanstalk provides managed polices to handle the Amazon resources required by the Elastic Beanstalk environments in your Amazon account. The permissions provided by default to one application in your Amazon account have access to S3 resources that belong to other applications in the same Amazon account.

If your Amazon account runs multiple Beanstalk applications, you can scope down the security of your policies by creating your own custom policy to attach to your own service role or instance profile for each environment. You can then limit the S3 permissions in your custom policy to a specific environment.

Note

Be aware that you’re responsible for maintaining your custom policy. If an Elastic Beanstalk managed policy on which your custom policy is based changes, you’ll need to modify your custom policy with the respective changes to the base policy. For a change history of Elastic Beanstalk managed policies, see Elastic Beanstalk updates to Amazon managed policies.

Example of scoped down permissions

The following example is based on the AWSElasticBeanstalkWebTier managed policy.

The default policy includes the following lines for permissions to S3 buckets. This default policy doesn’t limit the S3 bucket actions to specific environments or applications.

{
   "Sid" : "BucketAccess", 
   "Action" : [ 
      "s3:Get*",
      "s3:List*", 
      "s3:PutObject"
     ], 
   "Effect" : "Allow",
   "Resource" : [ 
      "arn:aws:s3:::elasticbeanstalk-*", 
      "arn:aws:s3:::elasticbeanstalk-*/*" 
     ] 
}

You can scope down the access by qualifying specific resources to a service role specified as a Principal. The following example provides the custom service role aws-elasticbeanstalk-ec2-role-my-example-env permissions to S3 buckets in the environment with id my-example-env-ID.

Example Grant permissions to only a specific environment's S3 buckets
{
   "Sid": "BucketAccess",
   "Action": [
      "s3:Get*",
      "s3:List*",
      "s3:PutObject"
    ],
   "Effect": "Allow",
   "Principal": {
      "AWS": "arn:aws:iam::...:role/aws-elasticbeanstalk-ec2-role-my-example-env"
     },
   "Resource": [
      "arn:aws:s3:::elasticbeanstalk-my-region-account-id-12345",
      "arn:aws:s3:::elasticbeanstalk-my-region-account-id-12345/resources/environments/my-example-env-ID/*"
    ]
}
Note

The Resource ARN must include the Elastic Beanstalk environment ID, (not the environment name). You can obtain the environment id from the Elastic Beanstalk console on the Environment overview page. You can also use the Amazon CLI describe-environments command to obtain this information.

For more information to help you update S3 bucket permissions for your Elastic Beanstalk environments, see the following resources: