Resource field error - AWS S3 access point - amazon-web-services

I want to access my s3 bucket from some specify IP address that would visit my s3 bucket with S3 restful api.
But I can't set-up the access point policy successful.
aws show me some error in my policy json.
following is my policy json:
{
"Version": "2012-10-17",
"Id":<Id>,
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"<my ip>"
]
}
}
}
]
}
I pretty sure my bucket arn is correct, but aws show following error:
Unsupported Resource ARN In Policy: The resource ARN is not supported for the resource-based policy attached to resource type S3 Access Point.
I had try to change action value or remove one of resource array, but it's still not work.

Related

How to setup terraform state on encrypted s3 bucket

I have setup an s3 backend for terraform state following this excellent answer by Austin Davis. I followed the suggestion by Matt Lavin to add a policy encrypting the bucket.
Unfortunately that bucket policy means that the terraform state list now throws the
Failed to load state: AccessDenied: Access Denied status code: 403, request id: XXXXXXXXXXXXXXXX, host id: XXXX...
I suspect I'm missing either passing or configuring something on the terraform side to encrypt the communication or an additional policy entry to be able to read the encrypted state.
This is the policy added to the tf-state bucket:
{
"Version": "2012-10-17",
"Id": "RequireEncryption",
"Statement": [
{
"Sid": "RequireEncryptedTransport",
"Effect": "Deny",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::${aws_s3_bucket.terraform_state.bucket}/*"],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
},
{
"Sid": "RequireEncryptedStorage",
"Effect": "Deny",
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::${aws_s3_bucket.terraform_state.bucket}/*"],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
},
"Principal": "*"
}
]
}
I would start by removing that bucket policy, and just enable the newer default bucket encryption setting on the S3 bucket. If you still get access denied after doing that, then the IAM role you are using when you run Terraform is missing some permissions.

S3 bucket policy is not allowing Athena to perform query execution

I am performing Amazon Athena queries on an S3 bucket. Let's call it athena-bucket. Today I got a requirement to restrict this bucket over VPC Enpoints. So I have tried this S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
]
},
"NotIpAddress": {
"aws:SourceIp": [
"publicip/32",
"publicip2/32"
]
}
}
}
]
}
Please note that Athena has full permission to access the above bucket. I want to use the S3 bucket policy to restrict access from only certain IP addresses and VPC Endpoint.
However, I am getting access denied error although request is routed through VPC Endpoints mentioned in the policy.
Amazon Athena is an Internet-based service. It accesses Amazon S3 directly and does not connect via an Amazon VPC.
If you restrict the bucket to only be accessible via a VPC Endpoint, Amazon Athena will not be able to access it.
There is actually a solution for you to get what you are asking for. The following policy condition allows actions from all of your VPC endpoints and Athena:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VPCe and SourceIP",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::**********:user/user_admin",
"arn:aws:iam::**********:root",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::athena-bucket",
"arn:aws:s3:::athena-bucket/abc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpce": [
"vpce-XXXXxxxxe",
"vpce-xxxxxxxxxx",
"vpce-XXXXXXXXXXXXXX"
],
"aws:CalledVia": [ "athena.amazonaws.com" ]
}
}
}
]
}
The "ForAllValues" portion of the condition is what turns this AND condition into an OR.
Not sure how your IP restrictions would play with this, since you cannot tell which IPs Athena would be coming from.

CloudFormation stack gives "API: s3:GetObject Access Denied"

I'm having issues deploying CF-stack when used in combination with a S3 bucket.
The S3 bucket contains a swagger definition that API Gateway needs to access.
My S3 bucket has a bucket policy that contains an IP-filter, along these lines:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "IpFilter",
"Effect": "Deny",
"NotPrincipal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-code-dev/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
"5.6.7.8/32"
]
}
}
}
]
}
The intent is to deny access to this S3-bucket for anyone not coming from the specified IP addresses or for the specified services.
When deploying my stack I'm hitting an error when deploying the AWS::ApiGateway::RestApi resource with Status Reason "API: s3:GetObject Access Denied".
This is obviously tied to the bucket policy, because if I remove the policy the issue disappears. Any ideas as to what is missing in the policy?

Error: Access Denied in S3 bucket after applying VPC policy

I have applied a policy to allow only connections from my VPC:
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
},
"Principal": "*"
}
]
}
But now I'm getting "Access Denied" even when I try to access it from the AWS Console from an instance in the given VPC:
I've read https://aws.amazon.com/premiumsupport/knowledge-center/s3-regain-access/, but unfortunately I use a company-provided federated login and I don't have access to the full root user.
My question is why can't I access the bucket even when inside the VPC?
Some similar questions that I found - Policy Denying Access On Amazon S3 and S3 VPC end point Bucket policy
To prevent your policy from being applied to your federated users in AWS console, you could "whitelist" them using the NotPrincipal element instead of Principal in your policy statement. For example:
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
},
"NotPrincipal": {
"Federated": "arn:aws:iam::YOUR-AWS-ACCOUNT-ID:saml-provider/YOUR-PROVIDER-NAME"
}
}
]
}
Do you have a VPC endpoint for S3 set up?
There are two ways to access objects in S3. One is through the AWS console and the other is through HTTPS calls to the S3 object.
If you're trying to access the bucket from the AWS console, then permission is governed by your IAM user/role and bucket policy. You're using a federated login, so I'm assuming it's a role.
From an instance in VPC-111bbb222, log out of the AWS console and try to access an object in that bucket using the HTTPS URL.

AWS S3 IAM policy for role for restricting few instances to connect to S3 bucket based in instance tag or instance id

I have a AWS S3 already associated with all the instances for read privileges to all S3 buckets. Now I need to add a policy to the roles for write privileges(Put object) so that a few of these instances can have write permissions to certain folders in the S3. Is there any way to achieve it through instance tag(better option for me) or instance id.
I tried adding an IAM policy but when I set the condition, my instances are not getting the required privileges.
The IAM policy I used is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1456567757624",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/testfolder1/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid1>"
}
}
},
{
"Sid": "Stmt1456567757625",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::testbucket/testfolder2/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:ec2:eu-west-1:<accountno>:instance/<instanceid2>"
}
}
}
]
}
Here's an alternative, based on hints given in Granting access to S3 resources based on role name...
Instead of using aws:SourceArn, use aws:userid!
The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:
For Role assigned to an Amazon EC2 instance, it is set to role-id:ec2-instance-id
Therefore, you could use the Role ID of the role that is used to launch the Amazon EC2 instance to permit access OR the Instance ID.
For example, this one is based on a Role ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"AROAIIPEUJOUGITIU5BB6*"
]
}
}
}
]
}
Of course, if you are going to assign permission based on a Role ID, then you can just as easily grant permissions within the Role itself.
This one is based on an Instance ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"*:i-03c9a5f3fae4b630a"
]
}
}
}
]
}
The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).
The IAM Policy Elements Reference documentation says:
aws:SourceArn – To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services.)
However, the documentation does not state which services can use it.
There are examples available for its use with SQS and SNS, with a sourceARN of an Amazon S3 bucket and also using sourceARN with Lambda. However, it does not appear to be supported with Amazon EC2.