AWS Root User Permission Denied on S3 Bucket policy - amazon-web-services

I created a new bucket on AWS S3 from the web wizard.
I was logged in as root user
I am attempting to add a Bucket policy as follows
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<my-bucket-name-is-here>/*"
]
}]
}
I get permission denied in both the web editor and the CLI
Web tool
CLI
An error occurred (AccessDenied) when calling the PutBucketPolicy operation: Access Denied
In the IAM settings, the root user has full access
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
I added
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
I also tried adding
{
"Sid": "ModifyBucketPolicy",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<MY-BUCKET-NAME>*"
},
I still don't have permissions

Thanks to #JohnRotenstein I see that because I accepted the default "Block All Public Access" from AWS I was unable to edit the bucket policy. This makes sense, since the bucket policy can also control access and could thus conflict.
However, the error message is confusing since it makes no mention of the fact that it is the Block public access (bucket settings) that prevented updating. The error message stating access denied / you don't have permissions made me think it was the IAM settings on my user that were preventing me from modifying the resource.

Related

S3 Policy Help - Full access for IAM user. Public read only access for single folder

I have an IAM user created with a policy for my bucket. With "public block access" enabled I can interact with the bucket as expected through this user.
Now I need to make a single public read-only folder using bucket policies, but I am not having any luck. I created the below policy which should
Disable all access to all principles
Enable all access for my IAM user
Enable read-only access to specific folders for all users.
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
I guess you cannot layer up access in this way, but I am unsure how to construct what I need. If I go with a single read policy to open up one folder, I still seem to be able to access all other folders publically too:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
I can access "/public" but can still access "/private" too.
I need a way first to lock down the entire bucket and then open up the folders I want to provide access for?
Your policy is failing because Deny always overrides an Allow.
The first statement in the policy will Deny access to the bucket for everyone (including you!).
Your second policy on arn:aws:s3:::bucket-name/public/* is the correct way to go. It will only grant anonymous access to that particular folder.
If you are able to access other folders, then either there are other policies that exist, or you are using "authenticated access" using your own AWS credentials. Make sure when you test it that you are putting a URL into a web browser that simply looks like: https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt

Getting "Insufficient permissions to list objects" error with S3 bucket policy

I setup a bucket policy to allow two external users arn:aws:iam::123456789012:user/user1 and arn:aws:iam::123456789012:user/user2 to access everything under a particular path in our S3 bucket - s3:my-bucket-name/path/. But the user is getting the following error when trying to access the path on AWS console:
Insufficient permissions to list objects
After you or your AWS administrator have updated your permissions to allow the s3:ListBucket action, refresh the page. Learn more about identity and access management in Amazon S3.
Here's the policy document. What am I missing here?
{
"Version": "2012-10-17",
"Id": "allowAccessToBucketPath",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user1",
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": [
"s3:PutObject",
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my-bucket-name/path/*",
"arn:aws:s3:::my-bucket-name/path"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/user1",
"arn:aws:iam::123456789012:user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "path/*"
}
}
}
]
}
I would check if you have any ACLs enabled for your bucket. In your bucket settings, check if Object Ownership is set to "ACLs enabled", in which case I would suggest you change it to "ACLs disabled".
If that doesn't work, I would suggest using the IAM Access Analyzer to help troubleshoot -- if the Access Analyzer says that your policy does in fact allow the access you want, then that would indicate that this policy is correctly defined, and you have other configurations on your bucket preventing the access.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

Copy S3 object to another S3 location Elastic Beanstalk SSH setup error

Getting this Elastic Beanstalk permission error when trying to do:
eb ssh --setup
2020-07-06 07:36:50 INFO Environment update is starting.
2020-07-06 07:36:53 ERROR Service:Amazon S3, Message:You don't have permission to copy an Amazon S3 object to another S3 location. Source: bucket = 'tempsource', key = 'xxx'. Destination: bucket = 'tempdest', key = 'yyy'.
2020-07-06 07:36:53 ERROR Failed to deploy configuration.
Is there a specific policy that I should be adding to my IAM permissions? I've tried adding full S3 access to my IAM User, but the error remains. Or is a permissions error associated with the source bucket?
Some more details:
Both buckets are in the same AWS account. The copying operation doesn't work for AWS CLI copy commands.
Bucket Profiles
Source Bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
},
{
"Sid": "Stmt2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::SOURCE_BUCKET"
}
]
}
Destination Bucket (elasticbeanstalk-us-west-2-XXXXXXXXXXXX)
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/*",
"arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/logs/*"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX"
}
]
}
I've tried adding full S3 access to my IAM User, but the error remains.
The error is not about about your IAM permissions (i.e. your IAM user). But its about a role that EB is using your the instance (i.e. instance role/profile):
Managing Elastic Beanstalk instance profiles
The defualt role used on the instances in aws-elasticbeanstalk-ec2-role. Thus you can locate it in IAM console, and add required S3 permissions. Depending on your setup, you may be using different role.
Or is a permissions error associated with the source bucket?
If you have bucket policies that deny the access, it could also be the reason.

S3 PutObject Access Denied when deploying to

I want to create an IAM user whose sole job is to deploy to AWS S3 Static Website.
I have this policy given to my DeployUser:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is the issue I get when I deploy (I am using Github Actions for this):
upload failed: public/404.html to s3://www.<my-site-name>.com/404.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
In Github, I passed the access key and secret of the user to my Action. I am pretty sure it is using that user to do the transaction. When I give S3FullAccess, my user is able to do it just fine. But I want to create a user with the AWS actions it only needs.
Where can I see better logs of this IAM user's actions?
Based on the comments, the solution was to add PutObject in the backed policy for the DeployUser.

AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

I have an AWS account with read/write permissions as shown below:
I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:
Created a user called s3-full-access
Executed aws configure in my CLI and entered the generated access key id and secret access key for the above user
Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.
My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.
Following are the public access settings:
Update: I updated the bucket policy as follows, but it doesn't work.
To test the situation, I did the following:
Created an IAM User with no attached policies
Created an Amazon S3 bucket
Turned off S3 block public access settings:
Block new public bucket policies
Block public and cross-account access if bucket has public policies
Added a Bucket Policy granting s3:* access to the contents of the bucket for the IAM User
I then ran aws s3 sync and got Access Denied.
I then modified the policy to also permit access to the bucket itself:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/stack-user"
]
}
}
]
}
This worked.
Bottom line: Also add permissions to access the bucket, in addition to the contents of the bucket. (I suspect it is because aws s3 sync requires listing of bucket contents, in addition to accessing the objects themselves.)
If you use KMS encryption enabled on bucket you should also add policy that allows you to decrypt data using KMS key.
You can configure the S3 policy with the required principal
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
Or you can create IAM policy and attached it to the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket/*"
}
]
}