Scenario:
I have 3 AWS root accounts in the same organization.
admin#mydomain.com
user1#mydomain.com
user2#mydomain.com
user1 created an S3 bucket B1. I want user2 and admin to be able to see and browse B1 on their own S3 dashboard. Is this possible? What policy(policies) that I need to create? Where do I create these policies and how to create them?
**The original question has been edited. Some answers below might not be relevant any more
I believe all you need to do is add Principal: "*" to the policy. This opens access to anyone, but the condition will limit it to the org.
As far as I know, I cannot do the S3 bucket console sharing between root users. I've finally managed to share the bucket created by user1 with an IAM user.
Steps for Root User
Login into AWS console and go to IAM
Create group
Create IAM policy i.e. allowing S3 full access (see below)
Attach policy to group
Create IAM user
For Access type choose AWS Management Console access
Add user to the group you created in step 1
Follow through until you click on create user button
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxvvvwww8"
}
}
}
]
}
EDIT:
After rigorous trial & error testing, it seems that we don't even need bucket policy for this to work. I've removed the bucket policy and it all still works!
Steps for IAM User
Log into AWS console as IAM user
Go to S3 console. You should be able to see and browse all buckets and objects created by all organization members
Note
Your IAM user would not be able to see the bucket listed on its S3 console dashboard. That shared bucket can only be accessed through direct link. So your root user must provide the URL i.e. https://s3.console.aws.amazon.com/s3/buckets/bucket1/ to your IAM user
Related
I have created bucket poc-work from admin account, and under this policy I have set policy like below:
{
"Version": "2012-10-17",
"Id": "Policy1620674317608",
"Statement": [
{
"Sid": "Stmt1321974214233",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accound-id:user/iam-user"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::poc-work",
"arn:aws:s3:::poc-work/*"
]
}
]
}
I have not attached any aws managed policy like s3readonly to IAM user , but I am under assumption that setting bucket policy should make bucket visible to IAM user . But when IAM user log in and check for s3 service there is error message:
You don't have permissions to list buckets
I have below queries:
can't I create bucket policy that enables list s3 buckets ?
Is it necessary to attach policy already defined browsing on IAM console and then rest of operations control with bucket policy ?
You are giving the user permission for one bucket, but if the user is going through the console the user needs the ListAllBuckets permission to see all the buckets that exist in the account. So you do need to add permissions to the IAM user as well--not just the one bucket.
Also see:
https://acloud.guru/forums/s3-masterclass/discussion/-L6X96Lo37ZnG_g6wiEg/ListBucket%20vs%20ListAllMyBuckets
https://stackoverflow.com/a/30961920/230055
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html
The 1st link says:
ListAllMyBuckets is required for seeing the list of buckets via the
AWS console. It is a MUST if you plan to use the console for S3
administration. If you don't have this permission you basically won't
see any of the buckets in the S3 console despite whatever other
permissions you have configured and therefore can't take any action
upon them.
I have an application where I am using Cognito to authenticate users and giving temporary access to AWS Console but that user is able to see all other buckets, I want that user just should be able to see or access buckets created by him.
Currently, I have given S3FullAccess Policy to Cognito users. Can anyone suggest which policy I should attach?
As per my R&D, I can some policies are there that can restrict particular user or allow particular user but my users will be dynamic, so I cannot hard-code the values and also policies like allowing/restricting access to particular buckets, I want only users who create buckets should be able to access not other users.
This is something which i found
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:userid}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:userid}",
"arn:aws:s3:::bucket-name/home/${aws:userid}/*"
]
}
]
}
But this is listing all buckets and the only accessible bucket is what put in the code above, I want for new user, it should show nothing and as it creates, it should show that only
This is not going to be easy and you will need to create your own policy and enforce some conventions. You have 3 options.
But first, if each user just needs their own S3 space look at S3 Prefix [here](
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/) Also, you can do this on the S3 resource bucket. I have a template for doing this here in gitlab
Now back to answering your question.
Option 1; They will need to set a tag when they create the bucket where an "owner" tag is equal to their identity. I striked this one out because despite being listed in the IAM policy I'm pretty sure it doesn't work with S3.
Option 2: The prefix of the bucket name is equal to their identity.
Then you can use the feature of variables and tags in IAM Policy. Read here
Note that coginto users are web federated identities so the variable aws:username is not aviable for you. Use the aws:userid variable and the value will be role id:caller-specified-role-name where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request
Option 3: Use IAM Access Policy
I can not find a link to the how to at the moment. But from here is a detailed description.
Q: How do I control what a federated user is allowed to do when signed in to the console?
When you request temporary security credentials for your federated
user using an AssumeRole API, you can optionally include an access
policy with the request. The federated user’s privileges are the
intersection of permissions granted by the access policy passed with
the request and the access policy attached to the IAM role that was
assumed. The access policy passed with the request cannot elevate the
privileges associated with the IAM role being assumed. When you
request temporary security credentials for your federated user using
the GetFederationToken API, you must provide an access control policy
with the request. The federated user’s privileges are the intersection
of the permissions granted by the access policy passed with the
request and the access policy attached to the IAM user that was used
to make the request. The access policy passed with the request cannot
elevate the privileges associated with the IAM user used to make the
request. These federated user permissions apply to both API access and
actions taken within the AWS Management Console.
The nice thing about this approach is you programmatically create the access policy.
As per my understanding with out giving access, any IAM user can not access the S3 bucket/object. But in my use case I am able to access it.
Am I misunderstood the security policy in S3.
Here is my use case I have root account in AWS, say root user. And this user created two IAM users,say Admin and Test users. And root user given S3FullAccess permission to both IAM users.
Now I logged in as Admin and created one Bucket( say Test). And enabled "Block all public access ".
Now with another IAM user still I am able to access Test bucket, even though " Block all public access " enabled.
Ideally it should not right. The Test user should get access denied permission while accessing Test bucket.
Am I missing anything, any help would be highly appreciated
Thanks
AWS learner
The "block all public access" to the bucket is referring to outside your organization, not with the IAM users.
In other words, if your bucket is accessible to the public, then anyone who has access to the objects S3 URL can directly access that object.
You may restrict access to the bucket by using a bucket policy, but it would make more sense to remove the S3FullAdminAccess from the test user in IAM.
And root user given S3FullAccess permission to both IAM users
This is the reason why your both the users are able to see the bucket as they have the below policy attached with the user :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
You remove this policy from the user and you'll see below error :
I'm developing a mobile application & i want to upload/get/delete a file in AWS S3 bucket.
But I'm very concern about the security problem.
S3 Bucket: It should not be public and only authorize IAM user can access who have the permission to access my bucket.
So, need help to configure permission of my S3 bucket & create an IAM user.
That is not how you authorize access for mobile applications. Yes, you can create IAM user, generate access key and secret access key, store those keys in the application code and configure right permissions for the IAM user. Then you don't even need to configure bucket policy. By default, bucket is private and only IAM users in your account with appropriate permissions are able to access it. If you allow IAM user to access specific S3 bucket then you would need to configure explicit deny on bucket policy to override it.
But the above approach is against every security good practice. What you really want to do is to create IAM role that allows access to the bucket and assume that role from within the application. You can set up Cognito + web federation (or some other web federation provider) for your users and ask STS service to generate short lived credentials using sts:assumeRoleWithWebIdentity command.
As for the IAM permissions, you will need to allow s3:PutObject, s3:GetObject and s3:DeleteObject so the policy can look something like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "<arn-of-your-bucket>"
}
]
}
You can be even more granular and allow Cognito users to access only "their" folder inside of a bucket if you need to.
As for the role, you just need to attach the above policy to it and configure trust relationship between the role and web identity provider (as mentioned above, this can be Cognito or any OpenID provider).
I am trying to give access permission for S3 bucket in account to another account.
For the created bucket in permission tab there is an option of Access for other AWS accounts. Under that I am seeing an Add Account button. I clicked it and gave my other account from which I want to access this bucket.
However, I am getting an Invalid ID error.
If you wish to grant access to specific User in a different account, it's quite simple. (I don't think this method will work for giving access to a different Account.)
Let's say you have:
Account A with Bucket A that you own
Account B with User B to which you wish to grant access
Ask User B for the ARN associated with their IAM User. This can be seen in the IAM Management Console and it will look like:
arn:aws:iam::123456789012:user/fred
Then, add a Bucket Policy to Bucket A:
{
"Version": "2012-10-17",
"Id": "S3AccessPolicy",
"Statement": [
{
"Sid": "GiveFredAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/fred"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
}
]
}
This will allow Fred to access the S3 bucket. This works for users in the same account AND for users in a different account.
For getting the canonical ID, one of the simplest ways is to use CLI and run
aws s3api list-buckets command.
You will get the ID in the output.
There are other ways also for getting the canonical ID and are clearly described in the aws docs: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html
You need the "canonical user id". You can find out about this here.
To view your canonical user ID as a root user (console)
Sign in as the root user using your AWS account email address and password.
... snip ...
In the top right of the console, choose your account name or number. Then choose My Security Credentials.
If necessary, in the dialog box, choose Continue to Security Credentials. You can choose the box next to Don’t show me this message again to stop the dialog box from appearing in the future.
Expand the Account Identifiers section to view your canonical user ID.
Note
If you do not see the Account Identifiers section, then you are not signed in as the root user. Return to Step 1 above. If you do not have access to the root user credentials, contact your AWS account administrator and ask them to retrieve the canonical user ID.