So far my S3 Bucket policy looks like this which I have got from the Generator Policy, I included my Account ID as the Principle to generate the policy but when I go to add this within my Load Balancer attributes it says that "Access Denied for bucket: bucket2. Please check S3bucket permission" What is denying access and how could I fix it?
{
"Version": "2012-10-17",
"Id": "Policy1630018580759",
"Statement": [
{
"Sid": "Stmt1630018536294",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::615298492481:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::elb-bkt/logs/AWSLogs/615298492481/*"
}
]
}
Related
To all AWS experts:
Error : Policy has invalid action
Trying to Deny access to a IAM user via bucket policy. AWS document shows as an example but its not working. Am I doing something wrong?
Bucket Policy JSON:
{
"Id": "Policy1630065308389",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1630065306314",
"Action": [
"s3:DeleteBucket",
"s3:GetObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketv11/*",
"Principal": {
"AWS": "arn:aws:iam::673863497215:user/mom-tester"
}
}
]
}
The s3:DeleteBucket action is a bucket-level action so you cannot apply it to the resource "arn:aws:s3:::mybucketv11/*", which is an object-level resource.
Your bucket policy would look more like this:
{
"Id": "Policy1630065308389",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s1",
"Action": ["s3:GetObject"],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketv11/*",
"Principal": {
"AWS": "arn:aws:iam::673863497215:user/mom-tester"
}
},
{
"Sid": "s2",
"Action": ["s3:DeleteBucket"],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketv11",
"Principal": {
"AWS": "arn:aws:iam::673863497215:user/mom-tester"
}
}
]
}
That said, why are you using an S3 bucket policy to deny access to the IAM user? Why not simply modify the permissions/roles of the IAM user so as not to allow access to this bucket?
I created an s3 bucket and gave the following bucket policy to it
{
"Version": "2012-10-17",
"Id": "Policy1586942250763",
"Statement": [
{
"Sid": "Stmt1586942249918",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accID:user/username1”
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
Obviously this would give access only to the user username1. Now username1 was deleted from IAM. Is there any way to recover access to this bucket. I have an IAM account with admin privileges but aws s3api delete-bucket-policy111 seems to be not working.
Only root user can do anything on that bucket now.
I want to create a policy to allow everyone to read my S3 bucket, this is the policy that I have created (I am following this guide):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-s3-bucket/*",
"Principal": "*"
}
]
}
I cannot create this policy, this is the error that I am getting:
This policy contains the following error: Has prohibited field
Principal For more information about the IAM policy grammar, see AWS
IAM Policies
The problem was, I was creating the new Policy in IAM. I had to add the policy in S3, as a bucket Policy:
Select S3 Bucket -> Permissions -> Bucket Policy: paste the policy here
Note: If you want to grant read permission to anonymous user at the bucket level, then you need to turn off the following two settings.
I have generated the policy which you want using the Policy Generator.
{
"Id": "Policy1567210887639",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1567210883302",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-s3-bucket/*",
"Principal": "*"
}
]
}
Check if this works for you.
Having some issues with AWS permissions and policies for grafana to be able to upload images. First off I tried with a custom policy attached to my user based on the requirements here https://grafana.com/docs/installation/configuration/#access-key.
Here's the policy:
custom policy with locked down permissions and bucket name
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myclient-grafana-images"
}
]
}
This unfortunately didn't work and can see an access denied error in my grafana logs. The user is trying to write an image to the bucket and ended up adding the AWS predefined policy for s3 full access. This managed to get it working
s3 full access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
The question is trying to lock the policy down just to the bucket that I need. I've tried creating a new policy with the full access policy and updated the wildcard to reference the s3 arn but that didn't work either.
Any suggestions on the best way to lock down the policies.
The PutObject and PutObjectAcl actions work on objects, not buckets.
This means that your Resource key should represent objects. ARN for objects start with the bucket name but are followed by a / and a path.
You should adapt your policy in the following way if you want to be able to put any object in your bucket (note the /*):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myclient-grafana-images/*"
}
]
}
I have an AWS account with read/write permissions as shown below:
I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:
Created a user called s3-full-access
Executed aws configure in my CLI and entered the generated access key id and secret access key for the above user
Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.
My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.
Following are the public access settings:
Update: I updated the bucket policy as follows, but it doesn't work.
To test the situation, I did the following:
Created an IAM User with no attached policies
Created an Amazon S3 bucket
Turned off S3 block public access settings:
Block new public bucket policies
Block public and cross-account access if bucket has public policies
Added a Bucket Policy granting s3:* access to the contents of the bucket for the IAM User
I then ran aws s3 sync and got Access Denied.
I then modified the policy to also permit access to the bucket itself:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/stack-user"
]
}
}
]
}
This worked.
Bottom line: Also add permissions to access the bucket, in addition to the contents of the bucket. (I suspect it is because aws s3 sync requires listing of bucket contents, in addition to accessing the objects themselves.)
If you use KMS encryption enabled on bucket you should also add policy that allows you to decrypt data using KMS key.
You can configure the S3 policy with the required principal
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
Or you can create IAM policy and attached it to the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket/*"
}
]
}