I have an s3 bucket where I have a policy in place to prevent anyone from getting access to the objects if they are not from my VPC, However, now when I put a lifecycle policy on the bucket it doesn't apply
Here is the current policy I have on the bucket:
{
"Version": "2012-10-17",
"Id": "Policy1636125293921",
"Statement": [
{
"Sid": "Stmt1636125292369",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVPC": [
"vpc-0987654321",
"vpc-1234567890"
]
}
}
}
]
}
I have tried to add a second statement that gives full access to my user with this statement:
{
"Sid": "Stmt1636125292368",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/username"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname/*"
}
I've tried a few different combinations of this second statement, but it is still not running the lifecycle policy, the policy exists and is there, but it doesn't run. Under "Object management overview" for one of the objects the Expiration date and Expiration rule remain blank, however if I remove the DENY policy, then I am able to see the Expiration date. I need that DENY policy to keep doing what it does so I cant remove that. I will also add that the user I am using has full admin permissions.
Instead of having the Principal as "*" for the DENY statement, I replaced it with
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789012:user/username",
"arn:aws:iam::123456789012:root"
The policy now denies anyone who isn't from my account, but it also allows anonymous users who are accessing the objects via the VPC to still have access. This has now allowed me to successfully run the lifecycle policy on the bucket.
Related
I have an IAM user created with a policy for my bucket. With "public block access" enabled I can interact with the bucket as expected through this user.
Now I need to make a single public read-only folder using bucket policies, but I am not having any luck. I created the below policy which should
Disable all access to all principles
Enable all access for my IAM user
Enable read-only access to specific folders for all users.
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
I guess you cannot layer up access in this way, but I am unsure how to construct what I need. If I go with a single read policy to open up one folder, I still seem to be able to access all other folders publically too:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
I can access "/public" but can still access "/private" too.
I need a way first to lock down the entire bucket and then open up the folders I want to provide access for?
Your policy is failing because Deny always overrides an Allow.
The first statement in the policy will Deny access to the bucket for everyone (including you!).
Your second policy on arn:aws:s3:::bucket-name/public/* is the correct way to go. It will only grant anonymous access to that particular folder.
If you are able to access other folders, then either there are other policies that exist, or you are using "authenticated access" using your own AWS credentials. Make sure when you test it that you are putting a URL into a web browser that simply looks like: https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt
Be default our users have full S3 access via IAM, I have one bucket however that I need to limit access to one specific user, and block all other users.
I followed this guide here https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/
and made this bucket policy -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*",
"Condition": {
"StringNotLike": {
"aws:userid": "USERWHONEEDSACCESS:*"
}
}
}
]
}
However it no worky. Any suggestions?
You can try the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::nameofbucket/*",
"arn:aws:s3:::nameofbucket"
],
"Effect": "Allow"
},
{
"NotPrincipal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::nameofbucket/*",
"arn:aws:s3:::nameofbucket"
],
"Effect": "Deny"
}
]
}
In the How to Restrict Amazon S3 Bucket Access to a Specific IAM Role blog post you can read more about using NotPrincipal and restricting access to a single IAM User, specifically:
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
To generate this policy code snippet, I used this: https://asecure.cloud/a/s3_restrict_iam_user/ and I pre-filled the iamPrincipal and bucketName parameters with your example values.
While #Rigerta 's answer will work, I think it's worthy to explain why and how you can make your policy work
If you notice, in your policy you're specifying that only that user will be able to access all objects in your bucket
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"
However, the way IAM permissions work for S3 buckets is a bit tricky. Yes, that user has access to all objects and if he/she tries to push/pull an object via cli the operation will probably succeed, although via AWS console the bucket is unreachable. It's because the user has only access to the objects in the bucket, not the bucket itself
Therefore, you need to add the bucket to your resources. Changing
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"
by
"Resource": ["arn:aws:s3:::NAMEOFBUCKET/*", "arn:aws:s3:::NAMEOFBUCKET"]
should make it work.
You can check this blogpost for an example of an IAM policy for accessing a bucket. Notice how different actions are granted to different resources
Make sure that you are using an IAM unique identifier in your condition (it should start with the letters AIDA for IAM users).
"StringNotLike": {
"aws:userid": "AIDAXXXXXXXXXXXXX:*"
}
I suspect that you have written the username in your condition because you use the same placeholder as in the Principal. The IAM User Id is distinct from the username and the arn and cannot be found through the Console, but you can for example retrieve it with the aws cli get-user command.
I've a bucket with GetObject available to everyone on full bucket(*). I want to make a few objects private(through Object level operation ACL), i.e. only the bucket owner should have read access to the object. I've gone through all available documentation, but couldn't find any possible way. Can anyone confirm is this possible or not?
You cannot use S3 Object ACLs because ACLs do not have a DENY.
You can modify your S3 policy to specify objects and deny access to individual items.
Example S3 Policy (notice that this policy forbids access to everyone for GetObject for two files):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
]
}
]
}
If you want to add a condition so that certain users can still access the objects, add a condition after the Resource section like this. This condition will allow IAM users john.wayne and bob.hope to still call GetObject.
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
],
"Condition": {
"StringNotEquals": {
"aws:username": [
"john.wayne",
"bob.hope"
]
}
}
I have configured my S3 bucket with Bucket Policy that looks like this
{
"Version": "2012-10-17",
"Id": "Policy100000000000",
"Statement": [
{
"Sid": "Stmt1463490591045",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*"
},
{
"Sid": "Stmt1463490591012",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "Stmt1463490660089",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*.xml"
}
]
}
The goal is to allow access to xml files in the bucket root to the selected users only. The rule doesn't seem to be working, since I get access denied
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DE3DB1FF18B53997</RequestId><HostId>Iy+RnfkFKygJWkSTI0dXjssFsGFP2MydZZi/R5KBw5M8mZnfClt6HMOKJvAwy7sJgSx9BJQ3DbN=</HostId></Error>
I've tried fetching the xml files with AWS Node.js and Python SDKs and with aws-cli. I keep getting the same access denied message.
The AWS documentation regarding Bucket Policies is quite scattered around and has not provided me with a solution to the problem. There's very little documentation at all about using notPrincipal in the policy.
The ListBucket permission works all right, which means that the problem is specific to the rule, not the aim users.
The goal is to allow access to xml files in the bucket root to the selected users only
As per current documentation, s3 do not support file listing resource per postfix/filetype. It only support with prefix, so you would need to put a star without .xml at the end (which allow to access all objects at the folder layer), then you could implement logic to your app if you would allow to access the file or not.
For the bucket policy, by default, s3 policy would give access to user from the account (where the bucket created), as long as the IAM policy have the permission to do so. This is defined from ACL (Access Control List), go to S3 > Permission > Access Control List to check it out.[ AWS S3 ACL docs ]. So the first 2 statement might not be necessary in the statements. For the last statement, this might work but need an additional assumed-role ARN which will vary depending on what is defined for the role session name.
It is recommended to not use the NotPrincipal, and instead use the Condition key at the statement. Put the roleId as the userId at the StringNotLike statement to ignore the deny statement for the particular roleId. Also include the account number at the userId. Example as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"ROLE_ID_HERE:*",
"ACCOUNT_NUMBER_HERE"
]
}
}
}
]
}
Check out on this AWS blog for more info:
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
Your last deny policy simply doesn't talk about what should happen (allow or deny) to the requests with principal user1 or user2. When you send an s3 request as user1 or user2, the bucket policy won't have any effect (since it doesn't have any rule matching the principal user1 or user2 w.r.t the given action and the given resource).
The goal is to allow access to xml files in the bucket root to the selected users only
In this situation, you can mention a rule for explicitly allowing those users the access to your xml files.
{
"Sid": "Stmt1463490660089",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*.xml"
}
I can't work out how to set my bucket policy to achieve what I want. Any help would be much appreciated! My desired rules are:
users in my account have access via user policies, so shouldn't need access specifically granted to them
anonymous users (or anyone outside my AWS account) should have no access, except:
one folder /temp_public should have a public GetObject (i.e. if you know the URL you can get the file)
these policies should override the object ACL on the files in the bucket, as the object ACLs are sometimes set to public read.
The reason for creating the bucket policy is that many of the objects in the bucket have a public read ACL (inadvertently set when the files were uploaded, but could also happen in future so I want to override the object ACL with the bucket ACL).
Ignoring the temp_public folder, I hoped I could just do this:
{
"Version": "2008-10-17",
"Id": "Policy123456789",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
(where 123456789012 is my AWS account number), but I get access denied for all users with that bucket policy. I guess the NotPrincipal isn't working in this case?
thanks for any suggestions!
Rory
UPDATE: cross-posted here on AWS forums, and answered!
Many thanks to IP from AWS Forums for this answer, which I've confirmed is working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BucketName/temp_public/*"
}
]
}
This statement will give anyone Read access to objects inside temp_public folder, regardless ACLs on those files.
To override the public access on all other files, you should provide a +Deny+-type statement. The explicit Deny overrides any Allow access, so you must exclude already given permissions. so use NotResource as an exclusion mask (NOT FINAL YET, read below):
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::BucketName/temp_public/*"
}
However, this will deny access to ALL users including your account too, because principal is set to "*". Therefore, you must exclude your account from this Deny (STILL NOT FINAL):
{
"Effect": "Deny",
"NotPrincipal": { "AWS": "arn:aws:iam::XXXXYYYYZZZZ:root" },
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::BucketName/temp_public/*"
}
(where XXXXYYYYZZZZ is your 12-digit AWS account Id)
There's still problem: the statement above denies access to all IAM users (except root account).
You'd like to exclude all your IAM users too, but this is tricky. For some reasons, Amazon S3 doens't support wildcards for specifying IAM users in a bucket policy. You cannot write "arn:aws:iam::XXXXYYYYZZZZ:user/*" as Principal (it gives an error: "Invalid principal in policy"). You have to specify exact user names:
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::XXXXYYYYZZZZ:root",
"arn:aws:iam::XXXXYYYYZZZZ:user/user1",
"arn:aws:iam::XXXXYYYYZZZZ:user/user2",
"arn:aws:iam::XXXXYYYYZZZZ:user/user3",
"arn:aws:iam::XXXXYYYYZZZZ:user/user4" ]
}
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::BucketName/temp_public/*"
}
NB from Rory: The S3 docs suggest you can use arn:aws:iam::XXXXYYYYZZZZ:root to cover all users in the account, but that just doesn't seem to work
So the final policy will look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BucketName/temp_public/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::XXXXYYYYZZZZ:root",
"arn:aws:iam::XXXXYYYYZZZZ:user/user1",
"arn:aws:iam::XXXXYYYYZZZZ:user/user2",
"arn:aws:iam::XXXXYYYYZZZZ:user/user3",
"arn:aws:iam::XXXXYYYYZZZZ:user/user4" ]
}
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::BucketName/temp_public/*"
}
]
}