I've got a bucket policy to restrict roles (apart from one) from downloading/putting objects of a specific name into my S3 bucket.
However I'm having difficulty restricting the file from even being viewed if the file is there.
I would like to restrict roles from even listing files in the bucket with a prefix of 'audit'. I would still like them to be able to list all other objects in the path.
So far I've tried a few variations of this bucket policy. The role ID is for the role that should be able to view the files
- Sid: 3
Effect: Deny
Principal: "*"
Action:
- s3:ListBucket
Resource:
- arn:aws:s3:::my-bucket/audit*
Condition:
StringNotLike:
aws:userid:
- <THE ALLOWED ROLE ID>:*
I'm getting the following error:
Action does not apply to any resource(s) in statement
(Service: Amazon S3; Status Code: 400;
Error Code: MalformedPolicy; Request ID:
Thank you 😊
You can use aws:PrincipalArn condition to check for the IAM ARN.
Works with ARN operators and string operators.
Use this key to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role. To learn which types of principals you can specify in this condition key, see Specifying a principal.
Availability – This key is always included in the request context.
{
"Statement": [
{ "Sid": "1",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::1234567890:role/myrole"
]
}
},
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
]
}
Now why it is saying invalid policy because s3:ListBucket permission deals with bucket, not at the object level, so you are getting the error.
s3:GetObject applies to the objects in the bucket so the Resource is correct:
"Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be
"Resource": "arn:aws:s3:::my-bucket"
Related
I have an S3 bucket on which I am trying to apply the bucket policy via CloudFormation. I want to allow two IAM roles to access the bucket and is achieved by specifying the ARN of the roles in the bucket policy in the CloudFormation template.
Below is the CloudFormation template:
LandingBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LandingBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
# yamllint disable-line rule:line-length
- Sid: "Allow s3 permission"
Action:
- s3:PutObject
- s3:GetObject
- s3:ListBucket
Effect: "Allow"
Resource:
- !GetAtt LandingBucket.Arn
- !Sub "${LandingBucket.Arn}/*"
Principal:
AWS:
- !Ref IamRoleArn1
- !Ref IamRoleArn2
Parameters are: IamRoleArn1: arn:aws:iam::1234:role/xyz, IamRoleArn2: arn:aws:iam::1234:role/abc
The final policy from the console looks like below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "file drop permission",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234:role/xyz",
"AROxxIECxx"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
The first Principal is an IAM role, however, the second one looks like an API key even though in the CloudFormation template I have mentioned the second IAM role ARN just like the first IAM role.
Why is the second role ARN not showing up in the bucket policy?
That is the unique identifier of that particular resource. In this case it is called a RoleId and ARN is just a readable format of the same. Both representation points to the same resource in AWS.
Try running
aws iam get-role --role-name "<you role here>"
the output of this command will have a field named RoleId and should that should clear things out for you.
The unique identifier that starts with AROA represents that it is a role related resource.
It is possible to allow grantee to ONLY download objects from the AWS S3 bucket ? They should not be able to upload any documents in the bucket. If it is possible what bucket permissions should we assign to grantee ? I tried searching this over the web but couldn't find any relevant links.
Thanks in advance!
You can use following URL to generate the required policy.
https://awspolicygen.s3.amazonaws.com/policygen.html
Select Type of Policy : S3 Bucket Policy
Effect: Check Allow
Principal: * (Which means for every one)
Actions: GetObject
Amazon Resource Name (ARN): ARN should follow the following format: arn:aws:s3:::<bucket_name>/<key_name>.
Use a comma to separate multiple values.
Press Add statement and in step 3 you will be able to generate required policy.
Below is a sample policy.
{
"Id": "PolicyID",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1610823452352355758",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::sample-resource-name/*",
"Principal": "*"
}
]
}
I have two iam roles,
allaccessrole (with complete aws account access)
limitedaccessrole (with very limited access to certain services only)
How do I utilize iam:passrole so that limitedaccessrole can utilize the permissions of allaccessrole for creating new resources(ex: a new iam user/ec2 instance)?
I added
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
to limitedaccessrole 's policy but when I try creating a new user, it still says
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
I also tried
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:sts::acc_num:role/limitedaccessrole",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
This also gives me:
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
In short is there a way to make limitedaccessrole
create resources (a new iam user + secrets) while utilizing a combination of IAM:Passrole and
an existing allaccessrole (which can do everything)
AND without giving "iam:CreateUser" permission to the limitedaccessrole.
Appreciate any inputs.
EDIT: I think I have a confused understanding of what IAM Passrole does. Looks like iam passrole is to be used when you want some service to have the same permissions as a specified role, but not when you want one role to take on the permissions of another role.
You want to use the sts:AssumeRole permission to accomplish what you're trying to achieve.
The workflow for this is below:
Resource A has Role A. Role A has permission sts:AssumeRole to allow it to assume Role B.
Resource A performs sts:AssumeRole to assume Role B. IAM key, secret key and session ID returned.
Resource performs interaction using SDK/CLI specifying specifically the three values returned.
To summarise, when you assume a role you use the credentials returned to act as the role. It is not automatic, you could support many roles.
My IAM user has the below two policies attached to it.
I created the below IAM policy that prevents lambda from being created if it does not have the Project tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "lambda:*",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
I also need to attach/create a new execution role when creating lambda so I added below
Iam policy to my IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
I logged into aws console using that IAM user's credentials and tried to create the lambda function without the tag, but it did'nt block the resource creation.I was able to create the lambda function without the required tag but with the following errors.
You are not authorized to perform: cloudformation:DescribeStackResources.
You are not authorized to perform: lambda:GetFunctionEventInvokeConfig.
User: arn:aws:iam::****:user/testuser is not authorized to perform: lambda:ListEventSourceMappings on resource: * with an explicit deny (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 199433ed*****)
How can I completely block the resource creation?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create
Eventually I want to try aws:RequestTag/{TageKey} for all supported aws resources.
Not all AWS services/resources support aws:RequestTag as a condition key.
For lambda it is not allowed. Currently the supported condition keys on lambda:CreateFuncion Action are:
lambda:Layer
lambda:VpcIds
lambda:SubnetIds
lambda:SecurityGroupIds
lambda:CodeSigningConfigArn
As specified on table "Actions defined by AWS Lambda" on column "Condition keys".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html#awslambda-actions-as-permissions
You can check that link and review any other service and validate if a specific Action support the Condition that you need.
For example, for EC2:RunInstances https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html supported conditions are:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:IsLaunchTemplateResource
ec2:LaunchTemplate
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:Region
ec2:RootDeviceType
ec2:Tenancy
So in that case you can restrict creation on new EC2 instances based on the presence of Tags but for Lambda it is not supported (for now).
I am using trying to invoke a Lambda from another Lambda, I am getting the error:
AccessDeniedException: User: [role ARN] is not authorized to perform:
lambda:InvokeFunction on resource: [Lambda ARN]
After researching, I found put that I need to attach a Policy to the IAM user to allow the action.
I'm wondering if there's any AWS Managed Policy which allows lambda:InvokeFunction?
If not, what would be the best minimalist policy JSON to create?
A managed role would be the AWSLambdaRole.
If you want to create it on your own:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": "<ARN of the function which is allowed to be invoked>"
}
]
}
For the ARN (Amazon Resource Name) you could also put * (then all functions are allowed to be invoked). Also, you could provide a list of multiple function ARNs.