Beitrag von Florin Gruber, Januar 2024

S3 IAM Policy Evaluation Logic

S3 IAM Policies can either allow or deny any action. Learn how the allow and deny statements interact and how you can define policies that allow or deny the actions you really need.

Implicit and explicit deny

From the point of view of the S3 IAM protocol, any action is denied by default. So if there is no explicit allow found, actions are denied. This means that every action is implicitly denied unless there is an explicit allow statement in the policy.

Deny overpowers Allow

  • If you have an explicit allow and an explicit deny, the deny statement always wins.
  • If you have and explicit allow and only the (default) implicit deny, the allow statement wins.

Let's have a look at an example policy

Let's have a look at this minimal S3 IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement-set-1",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads",
        "s3:GetObject",
        "s3:AbortMultipartUpload",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    },
    {
      "Sid": "statement-set-2",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    }
  ]
}

The policy above does allow 8 actions explicitly (s3:ListBucket ... s3:GetBucketLocation), but only on and in the bucket "mybucket" (recursively). The same actions in every other bucket in the same account are denied (implicit deny).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement-set-1",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    },
    {
      "Sid": "statement-set-2",
      "Effect": "Deny",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    }
  ]
}

The Policy above has two statements. The first statement (id: "statement-set-1") allows ListBucket and PutObject actions in the bucket "mybucket". But the second statement denies the same actions in the same bucket. As we've learnt before, deny-statements always win over allow-statements. Therefore, with the policy above, any of the two actions is denied.

Our Suggestion

Always try to only allow the necessary actions for any user. This minimizes the risk of undesired behaviours on your bucket in case of software malfunctions, credentials theft and malicious admin actions.

A good starting point for any S3 IAM Policy is the minimal Policy below. It allwos to Put (write), Get (read) and Delete Objects in a specific bucket, but it does also allow to list all Buckets (but user cannot access the contents in them. This policy can be considered as a basic minimal policy and is proven to work very well with Synology Hyper Backup, S3 Browser and all basic S3 use cases.

The Backup ONE Minimal S3 IAM Policy (Synology Hyper Backup, S3 Browser and more):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads",
        "s3:GetObject",
        "s3:AbortMultipartUpload",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    }
  ]
}

Make sure to replace the bucket name "mybucket" (lines "arn:aws:s3:::mybucket" and "arn:aws:s3:::mybucket/*") with the actual name of the bucket you are using!

Backup ONE S3 IAM Policy Generator

If you'd like to have a look at our recommended S3 IAM Policices, please head over to our free S3 IAM Policy Generator and find the policy that fits your need best.

Need help with S3 IAM Policies?

We're here to help. If you need help defining or debugging an S3 IAM Policy, please feel free to reach out to our specialists via our contact form or phone.