I was trying to enforce a policy that allows only SSL access.
However, after attaching the Policy, now I get "You don't have permissions" on every single thing in this bucket, including the Permissions tab and Bucket Policy section.
I am the admin and I do have all access permissions to S3 in IAM for my user.
This is the policy:
{
"Id": "Policy98421321896",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedInTransit",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1",
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1/*"
],
"Condition": {
"ArnEqualsIfExists": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
Question is:
How do I restore permissions to this bucket?
And how should I correctly set this policy?
When you want to add a condition which checks for Boolean values then it should be "Bool" key with valid value.
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
What you are trying to achieve is mentioned in this blog and you can use it according to your need.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
About your 2nd part of the question, you can reset the permission using your root account as it should have god level permissions. But it is strange that updating a bucket policy changes your IAM policies and you can't access certain parts of S3 config. Maybe something else is missing here..
Related
Trying to restrict tags to only a given set of keys that can be attached to the objects. Using bucket level policies to define this condition. However, the logic is not working. Bucket policy (https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-Id>:user/AdminUser"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::test-notifications-per-prefix/*",
"Condition": {
"ForAllValues:StringLike": {
"s3:RequestObjectTagKeys": "LIFE"
}
}
}
]
}
Boto3 code to upload the object
s3 = boto3.client('s3')
response = s3.put_object_tagging(
Bucket='test-notifications-per-prefix',
Key="file.txt",
Tagging = {
'TagSet': [
{
'Key': "TEST",
'Value': "SHORTTERM"
}
]
}
)
The object is still getting uploaded when i run the above code.
I am not able to figure out as why this is happening. Tried denying object tagging in the bucket policy (removed the condition from the policy and made the effect as Deny) then any object uploaded with a tag was throwing an access denied error. (so, the rules are being applied for sure)
Can you please let me know as what i am doing wrong here?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:user/AdminUser"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
"Condition": {
"StringNotEquals": {
"s3:RequestObjectTag/LIFE": [
"2",
"15"
]
}
}
}
]
}
Able to restrict the key and value pairs in my S3 bucket using the following bucket policy. An explicit deny is denying all the requests coming from the principal that do not have the following tags.
However, this policy will not work for object that are uploaded without tags.
EDIT:
We can define the below policy defined for a role to enforce the tags that are uploaded with given key and value pairs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket-name>/prefix1/*",
"Condition": {
"ForAnyValue:StringEquals": {
"s3:RequestObjectTagKeys": "LIFE"
},
"ForAllValues:StringEquals": {
"s3:RequestObjectTag/LIFE": ["2", "15"]
}
}
}
]
}
How to update the IAM policy below so that the IAM role, arn:aws:iam::7574333677569:role/dev-abc-webserver, also have permissions?
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}
]
}
The issue I faced is that The IAM role doesn't have permission with it currently,
I want the IAM role to have the same permission set as the IPs have.
We don't need to change the policy
, We need to expand what it already grants access to the provided IAM role.
So ""Condition": {" needs to be expanded so we are checking for our IPs or the IAM role.
I am not able to figure out how to provide access via the IAM role yet.
I did check some aws documentation but not able to figure it out .
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
Could anyone Help me with this issue, any help should be appreciated?
Since multiple conditions within a statement are always ANDed and never ORed you need a second statement to grant the permission to other entities. That statement will have a different Principal and the Condition can be removed.
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}, {
"Sid": "StmtForRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::7574333677569:role/dev-abc-webserver"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*"
}
]
}
I have this bucket policy( generated from policy generator).
{
"Id": "Policy1620290934586",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1620290801219",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
},
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
},
"Principal": "*"
}
]
}
This policy will allow objects to be uploaded only when there is sse-s3 header is present with aes256 value.
Also i have enabled encryption settings for bucket wide using AWS KMS.
so when i am trying to upload a file with default bucket encryption, according to policy it should not allow that because it doest not have sse-s3 header, yet file upload is successful? why?
i have followed this article
Update :-
the following policy works, means when i am using default bucket encryption settings during upload its denies. why didn't the above policy work and why the latter policy works?
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
The null statement:
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
can be read as:
if s3:x-amz-server-side-encryption does not exist.
Thus, if I understand correctly the IAM logic, the situation is as follows:
First case:
Your Condition reads as:
if s3:x-amz-server-side-encryption does not exist AND is not equal to AES256.
Since you are using default encryption in the first try, there is no s3:x-amz-server-side-encryption key in the request. From docs:
A key that is not present in the request is considered a mismatch.
This means that your Condition is not satisfied and Deny does not apply.
Second case.
This one works, because by having two separate statements you are saying:
if s3:x-amz-server-side-encryption does not exist OR is not equal to AES256
So Deny will take effect in any case.
As a plan to deprecate s3 objects, I am revoking all access apart from mine. I tried 2 ways but I see I am not able to see the bucket policy.
Error message from console:
You don’t have permission to get bucket policy
You or your AWS administrator must update your IAM permissions to allow s3:GetBucketPolicy. After you obtain the necessary permission, refresh the page. Learn more about Identity and access management in Amazon S3
First:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ck",
"arn:aws:s3:::k/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA"
]
}
}
}
]
}
Second:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::0220:user/an"
]
},
"Resource": [
"arn:aws:s3:::tes",
"arn:aws:s3:::tes/*"
]
}
],
"Version": "2012-10-17"
}
In the AWS Macie documentation, it shows an example of adding a basic alert.
The example query to add is s3_world_readability:"true"
Where do we find a list of valid fields that we can query on?
The docs refer to Constructing Queries in Macie, but nowhere do I see any listing of what fields I can query.
I'm trying to figure out whether I can create Macie alert if a Bucket doesn't have a bucket policy that enforces Server Side Encryption
Am I missing something obvious?
Update
Found out you can get some suggestions from the Macie console in the Research tab.
Using this pattern when selecting S3 bucket properties, I'm able to drill down into the bucket policy.
My Bucket policy is
{
"Version": "2008-10-17",
"Id": "Policy123456789",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
I can use the following query in Macie and it will return the bucket with this policy
policy.Policy.Statement.Action:"s3:PutObject"
So if want to query bucket policies that match the Conditions forcing SSE, I try:
policy.Policy.Statement.Condition.StringNotEquals.s3\:x\-amz\-server\-side\-encryption:"AES256"
But I get nothing back. Is there a better way for me to query these properties?