79620578

Date: 2025-05-14 00:38:29
Score: 2
Natty:
Report link

Thanks to @jarmod CloudTrail tip, I was able to accomplish what I was trying to do.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::test-bucket",
                "arn:aws:s3:::test-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "ROLE_ID:user1",
                        "ROLE_ID:user2"
                    ]
                }
            }
        }
    ]
}

where ROLE_ID is the ID of the role the users assume when logging into the account. I had to use the API aws iam get-role call with AWS CLI in order to get the ROLE_ID.

Reasons:
  • Blacklisted phrase (0.5): Thanks
  • Long answer (-0.5):
  • Has code block (-0.5):
  • User mentioned (1): @jarmod
  • Self-answer (0.5):
  • Low reputation (1):
Posted by: Gabriel