I am trying to find the solution for config s3-bucket-policy-grantee-check-conformance-pack showing noncompliance on this S3 Bucket Policy and can't seem to find a solution.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
Related
Is there a way to set access permissions (READ/WRITE) to only the creators of the buckets/objects?
We are working on a project that requires storing the data only for specific users. (I know about setting permissions to the specific groups - Admin, Developers. etc. but it's not the case here, as some other Developers are not allowed to view the items either).
Is it possible to perform it via policy?
Or it's just not possible to do so.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::targetBucketName/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
According to the documentation, all I have to do is add this S3 bucket policy:
{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
So I went to my bucket and I found these existing policies:
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx328"
}
}
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx5328"
}
}
}
]
}
So I added this one:
{
"Sid": "Allow get requests originating from www.mywebsite.com and mywebsite.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.mywebsite.com/*",
"https://mywebsite.com/*"
]
}
}
}
And so this is the final result:
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx328"
}
}
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"Service": "billingreports.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cur:us-east-1:122xxxxx328:definition/*",
"aws:SourceAccount": "122xxxxx5328"
}
}
},
{
"Sid": "Allow get requests originating from www.mywebsite.com and mywebsite.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.mywebsite.com/*",
"https://mywebsite.com/*"
]
}
}
}
]
}
But, still the resources wouldn't load on mywebsite.
Any idea what's going on or what I should check to debug this?
I am attempting to deploy a SSM Inventory Collection and a Resource Data Sync via Cloudformation in 15 accounts. I am able to manually add each account by adding a statement in the central s3 bucket for proper access. I was wondering is there a way to create a policy that allows newly created AWS accounts in the future to have proper access without adding a statement to the s3 bucket policy. Below is the documentation I have followed. I was using this method to add each account below
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
Further in the documentation, I see you can create a resource data sync for accounts defined in AWS Organizations. But this still doesnt accomplish granting any new accounts where template gets deployed, access will be granted.
Creating an inventory resource data sync for accounts defined in AWS Organizations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}
I have played around with a few policies but doesn't seem to work
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}
Try this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
I need to add condition for policy expiration :
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-22T12:29:59Z"
},
"DateLessThan": {
"aws:CurrentTime": "2020-11-22T19:35:00Z"
}
}
Try this (I didn't test it):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"elasticloadbalancing:*",
"cloudwatch:*",
"autoscaling:*",
"s3:*"
]
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2020-01-22T12:29:59Z"
},
"DateLessThan": {
"aws:CurrentTime": "2020-11-22T19:35:00Z"
}
}
}
]
}
i have the following configuration and I've already tried a lot of things. Can someone check it an say what might be the issue?
I've added the canonical account of the source to the destination bucket.
The replication is enabled on the source bucket. Is replicating the whole bucket.
Source bucket.
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "AWSSourcebucketWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Destination bucket
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::source_bucket_account:root"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Did you tried adding new file to your source bucket? Or update an existing file on source bucket? I think replication takes effect only on the items added or updated after enabling replication.