I'm using WorkSpaces Web (not WorkSpaces!) with an S3 VPC endpoint. I would like to be able to restrict S3 access via the S3 endpoint policy to only the buckets required by WorkSpaces Web. I cannot find any documentation with the answers, and AWS support does not seem to know what these buckets are. How can I find out what buckets the service is talking to? I see the requests in VPC flow logs, but that obviously doesn't show what URL or bucket it is trying to talk to. I have tried the same policy used for WorkSpaces (below), but it was not correct (or possibly not enough). I have confirmed that s3:GetObject is the only action needed.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::aws-windows-downloads-us-east-1/*",
"arn:aws:s3:::amazon-ssm-us-east-1/*",
"arn:aws:s3:::amazon-ssm-packages-us-east-1/*",
"arn:aws:s3:::us-east-1-birdwatcher-prod/*",
"arn:aws:s3:::aws-ssm-distributor-file-us-east-1/*",
"arn:aws:s3:::aws-ssm-document-attachments-us-east-1/*",
"arn:aws:s3:::patch-baseline-snapshot-us-east-1/*",
"arn:aws:s3:::amazonlinux.*.amazonaws.com/*",
"arn:aws:s3:::repo.*.amazonaws.com/*",
"arn:aws:s3:::packages.*.amazonaws.com/*"
]
}
]
}
Related
So my bucket was and is still functioning correctly, I'm able to upload images through the API with no issues. However, I was messing around with the user policy and I made a change to the Resource for my User Policy and this caused some settings to change.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1420751757000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": CHANGE MADE HERE
}
]
}
When I try to upload an image through my AWS account (not using the API), then the ACL public access is private by default. I tried changing my Policy version back to what I had, but no change. I am pretty inexperienced with S3, so if I'm missing crucial info regarding this issue I can provide it.
If you want all objects to be public, then you should use a Bucket Policy.
This should typically be limited to only allowing people to download (Get) an object if they know the name of the object. You can use this Bucket Policy (which goes on the bucket itself):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}
This policy is saying: "Allow anyone to get an object from this bucket, without knowing who they are"
It does not allow listing of the bucket, upload to the bucket or deleting from the bucket. If you wish to do any of these operations, you would need to use your own credentials via an API call or using the AWS CLI.
For examples of bucket policies, see: Bucket policy examples - Amazon Simple Storage Service
Your IAM User should probably have a policy like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}
This is saying: "Allow this IAM User to do anything in Amazon S3 to this bucket and the contents of this bucket"
That will grant you permission to do anything with the bucket (including uploading, downloading and deleting objects, and deleting the bucket).
For examples of IAM Policies, see: User policy examples - Amazon Simple Storage Service
I have a bit of a problem, to which Iam not sure I know the answer to. I have a bucket named staging and I would like to give access to a third party dev (which is building the webapp) to allow file uploads into this bucket.
What is the correct way to go about doing this? Surely, not giving away my aws secrets?
Would be great if someone can point me in the right direction for this.
You can achieve it using Resource Based Policies in Staging S3 bucket.
Add a Resource Based Policy to Staging bucket that allow access to Dev account's IAM User/Role.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Principal": {
"AWS": "<ARN of IAM User/Role from Dev Account>"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
]
"Resource": "arn:aws:s3:::staging-bucket/*"
}]
}
Next, add an IAM Policy in Dev account, that allow access to S3 bucket in Staging account.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
]
"Resource": "arn:aws:s3:::staging-bucket/*"
}]
}
References
How can I provide cross-account access to objects that are in Amazon S3 buckets?
How to access S3 bucket from another AWS account
if you are talking about a third party app is uploading content; one option is You can expose an API via apigateway to upload content to the bucket. Remember to remove public access from the bucket permission.
I have a "root" account.
I created an "admin" account which has all the right.
I created an account "dev" and I want it to only have acces to certain services:
s3
dynamoDB
cloudWatch
API Gateway
Lambda
Cognito
So I created a policy with the aws console editor and I gave full access to theses ressources and allows everything, it gave me this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*",
"apigateway:*",
"lambda:*",
"dynamodb:*",
"cognito-idp:*"
],
"Resource": "*"
}
]
}
Looks good to me (not specific enough but good for a beginner).
Problem: I created db, lambda, api gateway, etc... but I can't see the services with this, which autorisation should I give for the "dev" role to see the items in the AWS console ?
I found it, I only needed to switch my region in the top right corner of the console. (shame on me)
Problem Statement:
Account A is uploading some file in an Amazon S3 bucket in Account B. I am in account C and trying to access objects in Account B Amazon S3 bucket. I am able to access some of the files but not all.
Account A is uploading files like this
this.s3Client.putObject(bucketName, key, new FileInputStream(content), metadata);
this.s3Client.setObjectAcl(bucketName, key, CannedAccessControlList.BucketOwnerFullControl);
I am only getting access denied for some of the files not all.
While I have checked Bucket Policy and lambda policy. It seems correct to me, as I am able to access other objects that were not uploaded by Account A and I feel that this issue is related to an object permission, where the uploader in s3 bucket has the exclusive access. But as we see in the above code, uploader is setting object acl to BucketOwnerFullControl
All the files are set to public already, also I have given access to Account C aws account canonical Id under ACL.
ACLs
Lambda policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::ACCOUNT_B_BUCKET/*"
}
]
}
Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_C:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ACCOUNT_B_BUCKET/*"
}
]
}
I have spent a lot of time on this and it is frustrating now. Please also let me know how can I debug these types of issues faster?
Can you please check the ACL or GO to S3 console and Select all files and make public. this is just a debugging step .
I have bucket policy which allows access only from a VPC:
{
"Version": "2012-10-17",
"Id": "aksdhjfaksdhf",
"Statement": [
{
"Sid": "Access-only-from-a-specific-VPC",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::zzzz",
"arn:aws:s3:::zzzz/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-xxxx"
}
}
}
]
}
I'd like to allow traffic coming from AWS Textract to this bucket as well. I've tried various methods but because of the absolute precedence of 'explicit deny' (which I require), I cannot make it work.
Is there a different policy formulation or a different method altogether to restrict the access to this S3 Bucket to traffic from the VPC AND from Textract service exclusively?
This will not be possible.
In general, it's a good idea to avoid Deny policies since they override any Allow policy. They can be notoriously hard to configure correctly.
One option would be to remove the Deny and be very careful in who is granted Allow access to the bucket.
However, if this is too hard (eg Admins are given access to all buckets by default), then a common practice is to move sensitive data to an S3 bucket in a different AWS Account and only grant cross-account access to specific users.