This question already has answers here:
Force SSL on Amazon S3
(2 answers)
Closed last month.
I wanted to secure bucket s3 so that connections to it could only be made over ssl. Now I have
"secure_transport_enabled": false,
Where can I set this option? Maybe in ACL? What if I have ACL disabled on bucket?
You can enable s3 bucket policy and deny all request made if ssl is not used. Here is the bucket policy you could use:
{
"Id": "EnforceSSLPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureRequests",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
Related
This question already exists:
Is there a way to curl an S3 bucket from an EC2 instance
Closed 5 months ago.
I am trying to send a curl request to an S3 bucket from my EC2 to retrieve a specific object within the bucket:
I want to create a transparent proxy with caching implemented by nginx so the aws cli wont work for this.
The EC2 instance (Linux machine) works as a proxy server with NGINX to send HTTP requests to the bucket for caching purposes, I do not have an SSL cert on this instance.
The bucket only contains images.
The curl request looks like this:
curl my-bucket.s3.eu-west-1.amazonaws.com/1450/1349/5467_1012.jpg
But I get an Access Denied error
I have attached a full read access policy to my EC2 instance role.
Here is my bucket policy:
{
"Version": "2012-10-17",
"Id": "MediaStorageBucketPolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${current_account}:root"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"${media_storage_bucket_arn}",
"${media_storage_bucket_arn}/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${current_account}:root"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"${media_storage_bucket_arn}",
"${media_storage_bucket_arn}/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:I am::<account number>:role/ssm-ec2-service-role"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"${media_storage_bucket_arn}",
"${media_storage_bucket_arn}/*"
]
}
]
}
Can this be achieved without making the bucket public?
The solution I found was creating an IAM user with S3 read access that can then be used within the EC2 (credentials of the user) to pull data from the bucket, see the following doc:
http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
I was trying to enforce a policy that allows only SSL access.
However, after attaching the Policy, now I get "You don't have permissions" on every single thing in this bucket, including the Permissions tab and Bucket Policy section.
I am the admin and I do have all access permissions to S3 in IAM for my user.
This is the policy:
{
"Id": "Policy98421321896",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedInTransit",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1",
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1/*"
],
"Condition": {
"ArnEqualsIfExists": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
Question is:
How do I restore permissions to this bucket?
And how should I correctly set this policy?
When you want to add a condition which checks for Boolean values then it should be "Bool" key with valid value.
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
What you are trying to achieve is mentioned in this blog and you can use it according to your need.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
About your 2nd part of the question, you can reset the permission using your root account as it should have god level permissions. But it is strange that updating a bucket policy changes your IAM policies and you can't access certain parts of S3 config. Maybe something else is missing here..
I'm running a NodeJS script and using the aws-sdk package to write files to an S3 bucket. This works fine when I run the script locally, but not from a ECS Fargate service, that's when I get Error: AccessDenied: Access Denied.
The service has the allowed VPC vpc-05dd973c0e64f7dbc. I've tried adding an Internet Gateway to this VPC, and also an endpoint (as seen in the attached image) - but nothing resolves the Access Denied error. Any ideas what I'm missing here?
SOLVED: the problem was me misunderstanding aws:sourceVpce. It requires the VPC endpoint id and not the VPC id. **
Endpoint
Internet Gateway
Bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3MKW5OAU5CHLI"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mywebsite.com/*"
},
{
"Sid": "Stmt1582486025157",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::mywebsite.com/*",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpc-05dd973c0e64f7dbc"
}
}
}
]
}
Please add an bucket policy that allows access from the VPC endpoint.
Update your bucket policy with a condition, that allows users to access the S3 bucket when the request is from the VPC endpoint that you created. To white list those users to download objects, you can use a bucket policy that's similar to the following:
Note: For the value of aws:sourceVpce, enter the VPC endpoint ID of the endpoint that you created.
{
"Version": "2012-10-17",
"Id": "Policy1314555909999",
"Statement": [
{
"Sid": "<<Access-to-specific-VPConly>>",
"Principal": "*",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::awsexamplebucket/*"],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1c2g3t4e"
}
}
}
]
}
I am performing Amazon Athena queries on an S3 bucket. Let's call it athena-bucket. Today I got a requirement to restrict this bucket over VPC Enpoints. So I have tried this S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"publicip/32",
"publicip2/32"
]
}
}
}
]
}
Please note that Athena has full permission to access the above bucket. I want to use the S3 bucket policy to restrict access from only certain IP addresses and VPC Endpoint.
However, I am getting access denied error although request is routed through VPC Endpoints mentioned in the policy.
Amazon Athena is an Internet-based service. It accesses Amazon S3 directly and does not connect via an Amazon VPC.
If you restrict the bucket to only be accessible via a VPC Endpoint, Amazon Athena will not be able to access it.
There is actually a solution for you to get what you are asking for. The following policy condition allows actions from all of your VPC endpoints and Athena:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
],
"aws:CalledVia": [ "athena.amazonaws.com" ]
}
}
}
]
}
The "ForAllValues" portion of the condition is what turns this AND condition into an OR.
Not sure how your IP restrictions would play with this, since you cannot tell which IPs Athena would be coming from.
This question already has answers here:
What is Wrong With My AWS Policy?
(2 answers)
Closed 4 years ago.
I've created a role to grant full access to S3 from an EC2 instance. This is working ok, every time I create a new EC2 instance and attach this role it has full access to all my buckets on S3. I feel this is quite insecure, so my question is: is it possible to create a role or something similar to grant EC2 instances full access to specific buckets on S3 and not to all of them? Thanks!
This is the role I have right now:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
Already answered by me HERE
You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}