I am struggling with the setting up an S3 policy to give access to Application Load Balancer to push logs.
{
"Id": "Policy1629585161607",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1629585158642",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::S3bucketname/*",
"Principal": {
"AWS":"arn:aws:iam:LoadBalancerId:root"
}
}
]
}
The LoadBalancerIdcame from the last part of the loan balancer's ARN; follows the trailing slash after the load balancer's name in the ARN.
The error got from S3 is Invalid principal in policy, what have I done wrong?
The AWS docs explain well what the policy should be exactly. Sadly, your policy is incorrect. It should follow the following format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::elb-account-id:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
On top of that, bucket must be in same region and be encrypted.
Related
im unable to add domain level privacy bucket policy with zencoder bucket policy. they work when i add one at a time but when i try to implement both it doesnt work. im just looking for a solution to implement both bucket polices in one bucket. i tried to add condition from the domain level privacy to zencoders bucket policy. but the domain level privacy stops working.
here is the bucket policies im trying to add .
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::newbbbb/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://www.vlogmo.com/*"
}
}
}
]
}
{
"Version": "2012-10-17",
"Id": "ZencoderBucketPolicy",
"Statement": [
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::MY-BUCKET/*"
},
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY-BUCKET"
}
]
}
im just looking for a solution to implement both bucket polices in one bucket
You can't do this. A bucket can have only one policy. So you have to join your two policies, into one by adding new Statement:
{
"Version": "2012-10-17",
"Id": "ZencoderBucketPolicy",
"Statement": [
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::MY-BUCKET/*"
},
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY-BUCKET"
},
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::newbbbb/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://www.vlogmo.com/*"
}
}
}
]
}
I wanted to allow all s3 actions on a particular bucket "test-bucket" for a specific role "test-role". Deny the bucket for all others. The s3 policy I have written :
{
"Version": "2012-10-17",
"Id": "Policy1601973417173",
"Statement": [
{
"Sid": "Allow role test-role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
},
{
"Sid": "Deny rest",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
Even after applying the above policy, the sso users which are mapped to the role "test-role" is getting Access denied on the bucket.
Note : The AWS console shows logged in user as "Federated Login: test-role/sam#abc.com".
I have also tried the "assumed-role" options are still failing. Any help appreciated.
Try this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<udserid-1-suppressed>:*",
"AIDA<udserid-1-suppressed>",
"AIDA<udserid-2-suppressed>:*",
"AIDA<udserid-2-suppressed>",
"AIDA<udserid-n-suppressed>:*",
"AIDA<udserid-n-suppressed>",
"111111111111"
]
}
}
}
]
}
I'm trying to access to one of my S3 storage buckets from my EC2 instance deployed by ElasticBeanstalk. My EC2 instance belongs to aws-elasticbeanstalk-ec2-role and I have granted this role with AmazonS3FullAccess policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Then the bucket policy is as follows:
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*"
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
When I try to access the bucket from an SSH connection or through a script inside .ebextensions I receive an Access Denied 403 error. I tried making the files public and using the same commands and I worked perfectly, but the files I need can't be public.
I think I have the correct policies for both the bucket and the EC2 role. I might be forgetting some detail though.
Any help will be welcomed. Thank you folks in advance!
So based on my knowledge and previous issues I experienced, your bucket policy is incorrect.
It isn't valid because ListBucket and ListBucketVersions actions must be applied to bucket name, not prefix.
Here is my corrected policy that should work;
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*",
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-anything",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
Useful docs to reference to for the future -> AWS s3 docs
I'm trying to prevent hotlinking of images in my S3 bucket. I thought bucket policy this would work but so far no luck:
{
"Version": "2008-10-17",
"Id": "Bucket policy for example.com",
"Statement": [
{
"Sid": "Allow GET requests referred by example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.example.com/*",
"http://www.example.com/*",
"https://example.com/*",
"http://example.com/*"
]
}
}
},
{
"Sid": "Allow GET requests that don't specify a referrer",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example/*",
"Condition": {
"Null": {
"aws:Referer": true
}
}
}
]
}
How do I make it so this policy denies access to images embedded on other websites?
I have a user with the following policy, and I'm using DragonDisk client program. This user can do everything under bucket1/folder1/, except accessing a file's properties (access denied). I can't figure out why. Any idea? Thanks.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket1"],
"Condition":{"StringEquals":{"s3:prefix":[""],"s3:delimiter":["/"]}}
},
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::bucket1"],
"Condition":{"StringLike":{"s3:prefix":["folder1/*"]}}
},
{
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::bucket1/folder1/*"]
}
]
}