I am using S3 VPC endpoint (type: gateway). I've wanted to restrict access to S3 resources from my private subnet only to my resources that belong to my account. I've used below IAM:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": ["myAccountId"]
}
}
}
]
}
this works fine for S3, however it breaks the access to ECR from the node itself, so it no longer can pull the docker images.
This is what happens when I use docker pull:
error pulling image configuration: error parsing HTTP 403 response body: invalid character '<' looking for beginning of value: "<Error>...Access Denied...</Error>"
This is the message from the Kubernetes node that tries to fetch the image:
Failed to pull image "<accountId>.dkr.ecr.eu-west-1.amazonaws.com/<repoName>:<tag>": failed to copy: httpReaderSeeker: failed open: unexpected status code https://<accountId>.dkr.ecr.eu-west-1.amazonaws.com/v2/<repoName/blobs/sha256:<hash>: 403 Forbidden
If I remove the principal account condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
things are working OK.
It seem to me that ECR endpoint creates pre-signed URL to S3, which then gets blocked by my above policy.
Is there any way to allow ECR pre-signed URL, whilst still restricting access to only AWS resources that belong to my account?
After displaying Docker daemon logs I've noticed that it tries to fetch the resource from: prod-eu-west1-starport-layer-bucket.s3.eu-west-1.amazonaws.com.
I've then found AWS specific documentation which describes minimal permissions required:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-s3-gateway
I've then added this block to my S3 VPC endpoint IAM:
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::prod-eu-west-1-starport-layer-bucket/*"
}
and things started to work fine.
Related
I configured S3 Gateway VPC endpoint in my account and created a S3 bucket (Bucket-A) with no public access. I configured the below Bucket Policy in Bucket-A and tried to access a png file in that bucket using CURL and WGET from an EC2 instance and ended up with "HTTP/1.1 403 Forbidden" error. But call via AWS CLI works fine which proves that traffic via VPCEndpoint works fine. eg: aws s3 ls s3://Bucket-A.
Can you people help me to understand what configuration should be done additionally to make the CURL and WGET GET operation work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::Bucket-A/*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-xyzxyzxyz"
}
}
}
]
}
VPC Endpoint Policy:
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
I created a new bucket on AWS S3 from the web wizard.
I was logged in as root user
I am attempting to add a Bucket policy as follows
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<my-bucket-name-is-here>/*"
]
}]
}
I get permission denied in both the web editor and the CLI
Web tool
CLI
An error occurred (AccessDenied) when calling the PutBucketPolicy operation: Access Denied
In the IAM settings, the root user has full access
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
I added
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
I also tried adding
{
"Sid": "ModifyBucketPolicy",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<MY-BUCKET-NAME>*"
},
I still don't have permissions
Thanks to #JohnRotenstein I see that because I accepted the default "Block All Public Access" from AWS I was unable to edit the bucket policy. This makes sense, since the bucket policy can also control access and could thus conflict.
However, the error message is confusing since it makes no mention of the fact that it is the Block public access (bucket settings) that prevented updating. The error message stating access denied / you don't have permissions made me think it was the IAM settings on my user that were preventing me from modifying the resource.
I'm trying to use this Github Action (https://github.com/jakejarvis/s3-sync-action) to run the aws cli s3 sync command to push files for a static website to an S3 bucket.
I setup the bucket policy to allow the required operations used by the sync command:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "GithubDeploymentA",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::163936899089:user/my-deploy-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "GithubDeploymentB",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::163936899089:user/my-deploy-user"
},
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket*"
}
]
}
Now the sync command works when I locally run it using the "my-deploy-user" credentials. It even works if I run the docker image for the Github Action locally so I've verified that the script works, the user is setup correctly, and the bucket policy is setup correctly. However when running from the Github Action the script fails with the s3 sync command with Access Denied on the PutObject operations:
upload failed: build/favicon.ico to s3://my-bucket/favicon.ico An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
This is my first time really using AWS so maybe I'm missing something obvious but couldn't find anything googling so far. Since the Github Action is using the same credentials for the script as when I run it locally and I haven't setup any IP related conditions for permissions I'm not sure what to look at next.
Any ideas?
I have a Bucket Policy (listed below) that is supposed to prevent access to an S3 bucket when accessed from anywhere other than a specific VPC. I launched an EC2 instance in the VPC, tested and confirmed that S3 access works fine. Now, when I access the same S3 bucket over web console, I get 'Error - Access Denied' message.
Does this mean that aws:SourceVpc condition key is present in the request context when interacting with S3 over web console as well?
My assumption is that it is present in the request context as otherwise policy statement would have failed such that the statement's "Effect" does not apply because there is no "Ifexists" added to StringNotEquals - Asking this question as I could not find this information in AWS Documentation. Even after adding "Ifexists" to StringNotEquals, results are same - can someone confirm?
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-0xy915sdfedb5667"
}
}
}
]
}
Yes, you are right. I tested the following bucket policy, the operations from the AWS S3 console are denied.
{
"Version": "2012-10-17",
"Id": "Policy1589385141624",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abhxy12bst3",
"arn:aws:s3:::abhxy12bst3/*"
],
"Condition": {
"StringLike": {
"aws:sourceVpc": "vpc-30*"
}
}
}
]
}
It means there is definitely some vpc id present in the request. It might be same for each account or it could be different.
This will apply to all requests interacting with S3. The console just provides a GUI on top of the AWS API.
I'm running a NodeJS script and using the aws-sdk package to write files to an S3 bucket. This works fine when I run the script locally, but not from a ECS Fargate service, that's when I get Error: AccessDenied: Access Denied.
The service has the allowed VPC vpc-05dd973c0e64f7dbc. I've tried adding an Internet Gateway to this VPC, and also an endpoint (as seen in the attached image) - but nothing resolves the Access Denied error. Any ideas what I'm missing here?
SOLVED: the problem was me misunderstanding aws:sourceVpce. It requires the VPC endpoint id and not the VPC id. **
Endpoint
Internet Gateway
Bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3MKW5OAU5CHLI"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mywebsite.com/*"
},
{
"Sid": "Stmt1582486025157",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::mywebsite.com/*",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpc-05dd973c0e64f7dbc"
}
}
}
]
}
Please add an bucket policy that allows access from the VPC endpoint.
Update your bucket policy with a condition, that allows users to access the S3 bucket when the request is from the VPC endpoint that you created. To white list those users to download objects, you can use a bucket policy that's similar to the following:
Note: For the value of aws:sourceVpce, enter the VPC endpoint ID of the endpoint that you created.
{
"Version": "2012-10-17",
"Id": "Policy1314555909999",
"Statement": [
{
"Sid": "<<Access-to-specific-VPConly>>",
"Principal": "*",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::awsexamplebucket/*"],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1c2g3t4e"
}
}
}
]
}