Set permission AWS s3 to only creator - amazon-web-services

Is there a way to set access permissions (READ/WRITE) to only the creators of the buckets/objects?
We are working on a project that requires storing the data only for specific users. (I know about setting permissions to the specific groups - Admin, Developers. etc. but it's not the case here, as some other Developers are not allowed to view the items either).
Is it possible to perform it via policy?
Or it's just not possible to do so.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}

Related

AWS S3: Unable to restrict access to bucket resources only on my website

According to the documentation, all I have to do is add this S3 bucket policy:
{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
So I went to my bucket and I found these existing policies:
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx328"
}
}
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx5328"
}
}
}
]
}
So I added this one:
{
"Sid": "Allow get requests originating from www.mywebsite.com and mywebsite.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.mywebsite.com/*",
"https://mywebsite.com/*"
]
}
}
}
And so this is the final result:
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx328"
}
}
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx5328"
}
}
},
{
"Sid": "Allow get requests originating from www.mywebsite.com and mywebsite.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.mywebsite.com/*",
"https://mywebsite.com/*"
]
}
}
}
]
}
But, still the resources wouldn't load on mywebsite.
Any idea what's going on or what I should check to debug this?

Create S3 bucket policy for ssm resource data sync that allows new accounts added access without manually adding a statement

I am attempting to deploy a SSM Inventory Collection and a Resource Data Sync via Cloudformation in 15 accounts. I am able to manually add each account by adding a statement in the central s3 bucket for proper access. I was wondering is there a way to create a policy that allows newly created AWS accounts in the future to have proper access without adding a statement to the s3 bucket policy. Below is the documentation I have followed. I was using this method to add each account below
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
Further in the documentation, I see you can create a resource data sync for accounts defined in AWS Organizations. But this still doesnt accomplish granting any new accounts where template gets deployed, access will be granted.
Creating an inventory resource data sync for accounts defined in AWS Organizations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}
I have played around with a few policies but doesn't seem to work
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}

Try this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}

AWS Config Grantee for S3 Bucket Policy

I am trying to find the solution for config s3-bucket-policy-grantee-check-conformance-pack showing noncompliance on this S3 Bucket Policy and can't seem to find a solution.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]

AWS S3 Bucket policy with DENY effect to Load Balancer logs from another account

The below S3 bucket policy to access alb logs from another account of same region with Deny policy doesn't work, I tried with a Condition but no luck
If I use "Allow" it works but I need to use Deny as per my company policy and allow based on condition
127311923021 - us-east-1
Any ideas please?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "arn:aws:s3:::myelbogs/prefix/*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myelbogs",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
}
]
}

Restricting access to AWS S3 Bucket Objects only when requests are made from certain domains

I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!

You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}