IAM roles advanced examples

Summary

This article provides examples of advanced IAM role policies that restrict or enable access to buckets and sub folders.  Additional information on IAM roles and Aspera On Demand can be found in these articles:  

  1. IAM roles and S3
  2. IAM Assumed roles and S3
  3. IAM role permission requirements

Example 1: Restrict Aspera server to a specific bucket and subfolder

This example shows an IAM policy that allows Aspera to access the MY-FOLDER located inside of MY-BUCKET. 

{
 "Version": "2012-10-17",
  "Statement":[
     {
        "Sid":"AllowListBucketIfSpecificPrefixIsIncludedInRequest",
        "Action":["s3:ListBucket"],
        "Effect":"Allow",
        "Resource":["arn:aws:s3:::MY-BUCKET"],
        "Condition":{
           "StringLike":{"s3:prefix":["MY-FOLDER/*"] }
        }
     },
     {
        "Sid":"AllowListBucketUploads",
        "Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],
        "Effect":"Allow",
        "Resource":["arn:aws:s3:::MY-BUCKET"]
     },
     {
       "Sid":"AllowUserToReadWriteObjectInFolder",
       "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload"],
       "Effect":"Allow",
       "Resource":["arn:aws:s3:::MY-BUCKET/MY-FOLDER/*"]
     }
  ]
}

Example 2: Restrict bucket access to specific IP addresses

This example shows a bucket policy that allows only the IPs of Aspera servers' to access MY-BUCKET. 

{
 "Version": "2012-10-17",
  "Statement":[
     {
        "Sid":"BlockRequestsThatDontComeFromaSpecificIPRange",
        "Action":"s3:*",
        "Effect":"Deny",
        "Resource":["arn:aws:s3:::MY-BUCKET/*"],
        "Condition":{
           "NotIpAddress":{
"aws:SourceIp":["192.0.2.0/24", "203.0.113.0/24"]
}

        }
     }
  ]
}
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk