I want to allow a specific IAM user (and no one else) to read files from a specific S3 bucket. I want to allow this IAM user to read the files from any external IP address. I have already created this IAM user, and attached a custom policy to this user allowing s3:GetObject operations on the one bucket.
I have also configured my S3 bucket to "Block all public access." My reasoning is that I don't want to allow access from any other user/stranger besides the designated IAM user.
I attempted to perform the read using the S3 SDK and the IAM user's API keys. And I'm getting the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied
I suspect that this is happening because of my "block all public access" bucket config. I don't quite understand what AWS is referring to when they say public. Are they referring to access from random/uncredentialed users? Or are they referring to access from public IP addresses? For my use case, should I enable or disable the following configs?
Block public access to buckets and objects granted through new access control lists (ACLs)
Block public access to buckets and objects granted through any access control lists (ACLs)
Block public access to buckets and objects granted through new public bucket or access point policies
Block public and cross-account access to buckets and objects through any public bucket or access point policies
Update: Turns out I made an unrelated error in my permissions policy. I had granted the IAM user permissions to access arn:aws:s3:::my-bucket instead of arn:aws:s3:::my-bucket/*.
After fixing this, I'm able to use the IAM user to read from the s3 bucket, from an external IP, with block all public access still enabled. I can now confirm that this option does not block access from external IPs.
Thank you Mark B!
Related
I have an IAM user that has full S3 access (i.e. can perform any S3 actions on any S3 resource within the AWS account). This user has created a bucket and put some files in it. The bucket has a policy which just contains an Allow rule that grants access to a different IAM user, in the same AWS account. Public access is turned off for the bucket.
Should the first user be able to access objects in this bucket? If so, is that because they created the bucket, or because they're in the account that owns the bucket? Is it possible to limit access to a bucket for users within the same AWS account?
S3 is one of the few services with resource policies, in this case they are called bucket policies.
A user in the same account has access to a (S3) resource if
nothing explicitly denies the access AND
either the bucket policy grants access OR the user / entity has a policy attached that grants access
If you wanted to restrict a bucket to a single user / entity you would
need to write a bucket policy that specifies that using a Deny statement for every user except the target one AND
either add a statement to the bucket policy or a policy attached to the user / entity granting access to the bucket.
The standard doc for understanding policy evaluation logic is this. There are other, more complicated ways to achieve your goal using e.g. permission boundaries and SCPs but they are probably overkill in your situation.
In aws an IAm user can be given say read access to an s3 bucket using permissions. Similarly a policy (permission) can be attached to an s3 bucket to allow certain user access to that s3 bucket. My question is why there are two ways to do it. Should you define both? What if user 1 is allowed to access an s3 folder but IAM policy at resource level allows user 2 access to it. Who wins in this situation? What is the order of evaluation?
Typically:
To grant Amazon S3 access to a specific user, it is best to place the policy on the IAM User (or an IAM Group container IAM Users).
To grant public access, place a Bucket Policy on the bucket permitting anonymous access.
Yes, it is possible to grant individual access via a Bucket Policy, but this can become quite messy if multiple users are added this way.
The user will be permitted to access the bucket as long as either of these methods are used. However, any Deny policy will always override an Allow policy from either source.
We have several buckets, some as "public" and others as "Objects can be public". And I don't understand what the difference is?
I don't want any of the buckets to be publicly list-able. And on all buckets I want to be in control what people can access or see. Some keys public (you still need to know the URL to access it, no listing allowed) and some keys private, so you can't even tell it is there.
What is the configuration I should use?
I sometimes get warning notices from AWS, saying the buckets are public and I should check if I really want this. What is the risk? And can I just change the
In both of the configuration under "Permissions" it says
Block all public access -- Off
Block public access to buckets and objects granted through new access control lists (ACLs) -- Off
Block public access to buckets and objects granted through any access control lists (ACLs) -- Off
Block public access to buckets and objects granted through new public bucket or access point policies -- Off
Block public and cross-account access to buckets and objects through any public bucket or access point policies -- Off
So I don't even see the difference?
For a bucket to be "public", it must have a Bucket Policy that grants some permissions to everybody (*).
For "Objects can be public", the bucket must permit ACLs that allows some objects to be set to public (but not the whole bucket). This requires the "ACL" options of Block Public Access to be "off".
By setting Block Public Access to "on", nothing will be accessible via bucket policies or ACLs. Access will only be possible via IAM permissions.
I have a Cognito pool / Federated identity setup with users receiving temporary IAM credentials via AWS Amplify. These users have access to getObject from a couple S3 buckets even though:
The buckets have all public access disabled
The buckets policy page is blank
The IAM role associated to the Cognito groups that these users are members of (Trust Relationship with cognito-identity.amazonaws.com) have no policies attached that grant any S3 permissions. Policies attached are only for AppSync, Cognito, and APIGateway
If I create a new bucket and point getObject at a contained object, the users get 403 Forbidden, an indication that some bucket-specific policy somewhere is granting access. Problem is we have so many policies and roles, many used in production, so I can't simply do on/off testing to narrow it down.
Is there a way somehow to trace what policy/role is providing access for a specific S3 getObject request?
EDIT I've run the IAM Policy Simulator for the role associated with the Cognito groups and it gives denied for the objects in question.
The objects I'm trying to have access correctly blocked for have no permissions set for them. The buckets have:
Block new public ACLs and uploading public objects (Recommended): True
Remove public access granted through public ACLs (Recommended): True
Block new public bucket policies (Recommended): True
Block public and cross-account access if bucket has public policies (Recommended): True
UPDATE I've added cloudtrail logging to my buckets. While an event with eventname = 'GetObject' is logged for any downloads I do from the bucket via console, no events are logged for s3.getObject downloads via the AWS javascript SDK. How can I get these events to log?
Use CloudTrail to log Amazon S3 API Calls.
An event logged in CloudTrail for S3 actions includes information about the requested action, the date and time of the action, request parameters, and the user identity, for example:
arn:aws:iam::123456789012:user/Alice
arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName
I am trying to access an S3 bucket that I don't own, but have been granted access to through access policy. The access policy says I can access with getObject, listObject anything from /* . I am guessing that allows me to access everything within the bucket. However, what is happening is that I am able to only access few files while not able to access other.
And I suspect these files are new files in the bucket that did not exist at the time of the acl being granted. Something is writing into that bucket with default acl. Should that be the cause of acls not taking effect and the access denied?