I have one S3 bucket with no resource policy. I create policy explicitly that restrict IAM user access to this bucket by creating below policy and attaching it to IAM user.
If I login using that user in console , I see that list of bucket and can do action that are defined in policy. but when I try doing aws s3 ls is give me below error
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
Policy
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowAppsS3ListAccess"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Sid": "AllowAppsS3Access"
}
],
"Version": "2012-10-17"
}
Related
I am trying to publish AWS VPC Flow Logs from account A to S3 bucket in another account B. I am able to do so but when i try to download the logs from account A, i am getting the error
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
My account A has IAM userA that i am using.
I am using the below command to download:
aws s3 cp s3://vpcflowlogscross/VPCLogs/{subscribe_account_id}/vpcflowlogs/{region_code}/2021/06/14/xyz.log.gz .
I have tried adding the region as well in the above command but no luck. Also while investigating this i came across documentation to add ListBucket permission which i already have.
My bucket policy in account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::vpcflowlogs-cross/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::vpcflowlogs-cross"
},
{
"Sid": "DownloadObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/userA"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vpcflowlogs-cross",
"arn:aws:s3:::vpcflowlogs-cross/*"
]
]
}
I am using the below IAM user policy in account A to download the objects that are in account B S3 bucket.
My IAM user policy in account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMAllowDownload",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vpcflowlogs-cross",
"arn:aws:s3:::vpcflowlogs-cross/*"
]
}
]
}
I have tried changing the bucket and IAM policy but still not luck. I understand that the log objects getting published to the account B are owned by it but i am using the s3 "getobject" permission in bucket policy for the account A Principal userA shouldn't this allow me to download the objects.
I have a bucket with empty bucket policy, block public access turned ON (ACLs and Bucket) and trying to list buckets using IAM policy tied to user using STS AssumeRole with following attached policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetBucket*",
"s3:ListBucket*",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-test-bucket/*"
]
}
]
}
The assumed role credentials are used during the STS session in python (boto3)
s3c = boto3.client('s3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
s3c.list_buckets()
I get this exception:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
When I tried to use IAM Policy simulator, it indicates "Implicitly denied". Im thinking if I need to access a bucket policy for this user? My understanding has been if both IAM and Bucket policy, it is an intersection. If either is not present, the other takes precedence.
Calling list_buckets() uses the s3:ListAllMyBuckets permission.
This permission cannot be restricted to a specific bucket. A user can either list all of the buckets in the account, or none of them.
Calling operations on a bucket (ListBucket, GetBucket*) requires permission for the bucket itself.
Operations on objects requires permission for the objects (or /* after the bucket name to permit actions on all objects).
Therefore, you can change your policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucket*"
],
"Resource": "arn:aws:s3:::my-test-bucket"
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-test-bucket/*"
}
]
}
This is a pretty common issue because people tend to miss the difference between a "bucket" resource and an "object" resource. A bucket ends in the name of the bucket (arn:aws:s3:::my-test-bucket) whereas an object includes the bucket and key, and is often granted with a star after the initial slash. So, just change your policy to the following.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-test-bucket"
]
},
{
"Action": [
"s3:GetObject",
"s3:GetBucket*",
"s3:ListBucket*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-test-bucket/*"
]
}
]
}
Still new to AWS. I'm trying to grant a user access to only S3 buckets that have a particular naming convention. I've got a basic policy like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowActionsForProjectbucket",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::bucket-*/*",
"arn:aws:s3:::bucket-*"
]
},
}
However I'm getting Access Denied errors when running.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
I'm confused I guess by the error message, as I assumed that the s3:* Action covered the ListBuckets, but perhaps it's something else.
Add below policy to your AWS IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html
i have this policy, why is it not able to write to s3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1",
"arn:aws:s3:::elasticbeanstalk-us-east-1-008151213029",
"arn:aws:s3:::test-bucket-for-iam"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1",
"arn:aws:s3:::elasticbeanstalk-us-east-1-008151213029",
"arn:aws:s3:::test-bucket-for-iam"
]
}
]
}
when i try to upload object i get, i have given putobject why iam i getting this error
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Changing
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1"
to this
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1/*"
worked in my case.
What I Want To Achieve
I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.
The Problem
When I run with the CLI command:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth
with the --debug flag I can see a HTTP 403 response.
Extra Details
The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
I have double checked the account id, app and env name.
I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.
Questions
How can I further debug this issue?
Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".
So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}