Restricting access to Amazon S3 on object level for federated IAM users

Question

I'm doing some research around using S3. What I would like to achieve is basically control access to objects in S3 bucket in the same manner like on file system but for IAM federated users.

Let's assume following scenario

  Bucket  
     |- File 1.txt -> ACL: Read: User1; Read: User 2
     |- File 2.txt -> ACL: Read: Everyone; Read, Write: User 2
     |- File 3.txt -> ACL: Read: Group 1; Read, Write: User 2

This kind of configuration can be achieved using ACLs and Amazon "native" users and groups. From the other hand, for federated user, the only thing I was able to find, was to generate temporary token with assigned bucket policy.

If I understand it correctly, bucket polices works in opposite way than ACL (defines to which objects user have access, while ACL defines who have access to the object)

My question is. Is it possible to assign federated user in ACL (or achive in other way the same goal for federated users) ?

I would like to achive the same behaviour like on file system where you have users in groups and on objects you are marking which groups have access to them

Assuming that field 'x-amz-meta-seclevels' contains groups which have access to file (Group1, Group2, admin3rdfloor), with presented policy (which is not proper, but I would like to describe what is in my mind) attached to IAM Federated user, I could grant this user access to all files which contains admin3rdfloor value in x-amz-meta-seclevels field.

{
'Statement': [
    { 
        'Sid': 'PersonalBucketAccess', 
        'Action': [ 
            's3:GetObject' 
            ],
        'Effect': 'Allow', 
        'Resource': 'arn:aws:s3:::MyBucketName' 
        'Condition':{
        'StringLike':{
           's3:x-amz-meta-seclevels':'admin3rdfloor'
        }
     }

    }
]

}

Is this achievable in any way?

Thanks for help in advance!

Answer 1

If I understand your desired configuration correctly, AWS might have just released a feature enabling this scenario, see Variables in AWS Access Control Policies:

AWS Identity and Access Management (IAM) enables you to create policies that control access to AWS service APIs and resources. Today we’re extending the AWS access policy language to include support for variables. Policy variables make it easier to create and manage general policies that include individualized access control.

Here's the provided example policy for regular IAM users:

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Action": ["s3:ListBucket"],
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::myBucket"],
       "Condition":{"StringLike":
      {"s3:prefix":["home/${aws:username}/*"]}}
     },
     {
       "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
       "arn:aws:s3:::myBucket/home/${aws:username}/*"]
     }
]
}

While the ${aws:username} included in this example isn't available for federated users (or assumed roles), there is another variable ${aws:userid}, which will be substituted with account:caller-specified-name for the respective ${aws:principaltype} FederatedUser, - please refer to the table within Request Information That You Can Use for Policy Variables for details on how these variables are substituted depending on principal type.