Bucket policy with conditionals exception for AWSReservedSSO

Hello, To achieve this, you can use conditions in your bucket policy to restrict access based on certain attributes of the federated user. Here's an example of a bucket policy that denies access to everyone except federated users from AWS Single Sign-On (AWS SSO) with a specific permission set:(json)

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::your-bucket-name/", "arn:aws:s3:::your-bucket-name" ], "Condition": { "StringNotEqualsIfExists": { "aws:PrincipalType": ["Federated"] }, "StringEquals": { "aws:PrincipalTag/sso_permission_set_name": "your-specific-permission-set-name" } } }, { "Effect": "Allow", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::your-bucket-name/", "arn:aws:s3:::your-bucket-name" ], "Condition": { "StringEqualsIfExists": { "aws:PrincipalType": ["Federated"] }, "StringEquals": { "aws:PrincipalTag/sso_permission_set_name": "your-specific-permission-set-name" } } } ] }

This policy denies all access by default ("Effect": "Deny", "Principal": ""), but allows access for federated users with the specified permission set ("Effect": "Allow", "Principal": "", ...). Adjust the placeholders like your-bucket-name and your-specific-permission-set-name with your actual S3 bucket name and the name of your specific permission set in AWS SSO.

The above policy assumes that you have properly configured tags for your federated users in AWS SSO, and it uses the aws:PrincipalTag condition key to check for the specific permission set. Make sure to test the policy thoroughly to ensure it meets your security requirements.

Hi, Janduci

We don't have configured tags for our federated users. Is there another way? Yes it is possible,

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "NotPrincipal": { "Federated": "arn:aws:iam::account-id:saml-provider/AWSReservedSSO" }, "Action": "s3:", "Resource": [ "arn:aws:s3:::your-bucket-name/", "arn:aws:s3:::your-bucket-name" ], "Condition": { "StringEquals": { "aws:PrincipalTag/PermissionSet": "your-specific-permission-set" } } } ] }

Replace "account-id" with your AWS account ID, "your-bucket-name" with the name of your S3 bucket, and "your-specific-permission-set" with the actual permission set you want to allow.

This policy explicitly denies access to any principal that is not federated with the specified SAML provider (AWSReservedSSO) and does not have the specified permission set.

If you don't have tags configured for your federated users, you can still use conditions based on other attributes available in the context of the request, such as the username or the source IP address. However, keep in mind that these attributes might not be as secure or reliable as using tags.

Hari,

We don't have configured tags for our federated users. Is there another way?