From 73185baeac010b24f9e87af504190bd67ca74ce3 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Sat, 7 Aug 2021 11:39:32 +0200 Subject: [PATCH] feature: IAM Policies S3 Wasabi compatibles --- IAM/README.md | 7 ++++++ IAM/user_allow_specific_bucket.json | 15 +++++++++++ ..._deny_explicitly_all_excluding_bucket.json | 25 +++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 IAM/README.md create mode 100644 IAM/user_allow_specific_bucket.json create mode 100644 IAM/user_deny_explicitly_all_excluding_bucket.json diff --git a/IAM/README.md b/IAM/README.md new file mode 100644 index 0000000..a54d003 --- /dev/null +++ b/IAM/README.md @@ -0,0 +1,7 @@ +# IAM Policies + +Actually those policies are tested on Wasabi S3 account. + +## Limitations + +* The policy `user_allow_specific_bucket.json` doesn't allow console operations diff --git a/IAM/user_allow_specific_bucket.json b/IAM/user_allow_specific_bucket.json new file mode 100644 index 0000000..3c2d4b2 --- /dev/null +++ b/IAM/user_allow_specific_bucket.json @@ -0,0 +1,15 @@ +{ + "Statement": [ + { + "Resource": [ + "arn:aws:s3:::bucket-name/*", + "arn:aws:s3:::bucket-name" + ], + "Action": [ + "s3:*" + ], + "Effect": "Allow" + } + ], + "Version": "2012-10-17" +} diff --git a/IAM/user_deny_explicitly_all_excluding_bucket.json b/IAM/user_deny_explicitly_all_excluding_bucket.json new file mode 100644 index 0000000..32f0456 --- /dev/null +++ b/IAM/user_deny_explicitly_all_excluding_bucket.json @@ -0,0 +1,25 @@ +{ + "Statement": [ + { + "NotResource": [ + "arn:aws:s3:::bucket-name/*", + "arn:aws:s3:::bucket-name" + ], + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads" + ], + "Effect": "Deny" + }, + { + "NotResource": [ + "arn:aws:s3:::bucket-name/*", + "arn:aws:s3:::bucket-name" + ], + "Action": "s3:*", + "Effect": "Deny" + } + ], + "Version": "2012-10-17" +}