AWS S3 Error 'Policy has invalid resource' - amazon-web-services

I was moving S3 bucket from source bucket to destination bucket.
below is reference to do the work.
https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/?nc1=h_ls
but I've got error while making policy. error message is Policy has invalid resource
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>",
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>/*"
]
}
]
}
I had changed policy for test and It worked. difference is as follows.
arn:aws:s3:::<SOURCE_BUCKET_NAME> > arn:aws:s3:::<DESTINATION_BUCKET_NAME>
I don't know why It doesn't work if I fill out my SOURCE_BUCKET_NAME.
I swear source bucket name is not wrong. you might think that question is like a fool and I also assume It'll be nothing but I couldn't find any point. Please give me a hand if you know the answer. thanks for reading :)
+ be added
bucket policy that I attached to the source bucket.
replaced principal is ARN of the IAM identity in target(destination) account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:user/ws.kim"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>"
]
}
]
}

The reason is that this is invalid bucket policy. Instead it should be managed IAM policy that you create and attach to IAM role or user.
Please check the How can I copy S3 objects from another AWS account? article again and you will be able to properly setup this policy.

Related

AWS IAM policy issue

I created an IAM user named sally and did not attach any managed policy while creating. Then attached the following IAM policy to it.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "S3:*",
"Resource": [
"arn:aws:s3:::cat-pics",
"arn:aws:s3:::cat-pics/*"
],
"Effect": "Allow"
}
]
}
But when I log in as sally user into the console, I keep getting the following error:
Error
Access Denied
Basically, the user is not able to see the cat-pics bucket or any objects uploaded to it. What am I missing here? Do I need to add any managed policy to the user? Please let me know.
Thanks
This is the correct policy document for a user trying to access buckets through console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsSupportBucketResourceType",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::cat-pics"
]
},
{
"Sid": "TheseActionsRequireAllResources",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts"
],
"Resource": [
"*"
]
},
{
"Sid": "TheseActionsRequireSupportsObjectResourceType",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cat-pics/*"
]
}
]
}
Detailed explanation for the issue is provided here:
https://aws.amazon.com/blogs/security/iam-policy-summaries-now-help-you-identify-errors-and-correct-permissions-in-your-iam-policies/
Thanks
The problem is that this policy allows full access to only this bucket, but if you use the Console you need other permissions to reach that. The AWS documentation states that you need the GetBucketLocation and the ListAllMyBuckets permissions, which are outside of the bucket, to use the console.
Add this to the policy and it should work:
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},

How to restrict user to view only specific buckets

I have a set of users: user1 and user2. Ideally they should have access to read and write in their own buckets.
I want to give them console access so they can login and upload the data in S3 through drag and drop.
So I want to the ability of one user to view buckets of other users.
I am using the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::user1_bucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::user1_bucket/*",
"Condition": {}
}
]
}
But it does not show any bucket for the user. All the user can see is Access Denied .
I tried to add principal in the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::9xxxxxxxxxx:user/user1"},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::user1_bucket"
]
}
]
}
This gives an error.
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
What can I do ?
There are two ways you can do this.
Bucket policies: You select who can access and control said bucket, by attaching a policy. Example for your case:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "bucketAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:user/user-name"
},
"Action": [
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::examplebucket/*"
]
}
]
}
Source: Bucket Policy Examples - Amazon Simple Storage Service
Or you can give access through role policies, which I think is better. You almost had it, but you messed up at the end. Your policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::examplebucket/"
}
]
}
Source: User Policy Examples - Amazon Simple Storage Service
I hope this helps.
It appears that your requirement is:
Users should be able to use the Amazon S3 management console to access (view, upload, download) their own S3 bucket
They should not be able to view the names of other buckets, nor access those buckets
With listing buckets
The first requirement can be met with a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessThisBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Sid": "ListAllBucketForS3Console",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
This allow them to access their specific bucket, but it also allows them to list all bucket names. This is a requirement of the Amazon S3 management console, since the first thing it does is list all of the buckets.
Without listing buckets
However, since you do not want to give these users the ability to list the names of all buckets, you could use a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
This gives them full access to their own bucket, but they cannot list the names of other buckets.
To use this in the management console, they will need to jump directly to their bucket using a URL like this:
https://console.aws.amazon.com/s3/buckets/my-bucket
This will then allow them to access and use their bucket.
They will also be able to use AWS Command-Line Interface (CLI) commands like:
aws s3 ls s3://my-bucket
aws s3 cp foo.txt s3://my-bucket/foo.txt
Bottom line: To use the management console without permission to list all buckets, they will need to use a URL that jumps straight to their bucket.

What is Wrong With My AWS Policy?

I am trying to give a programmatic IAM user access to a single bucket.
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Trying to programatically upload a file I got a 403.
I got this policy from here:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
There are no other policies attached to this user.
Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.
You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.
You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

Specifying the correct IAM permission for access to multiple s3 buckets

I am trying to give users read/write/list permissions to certain buckets and my IAM policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::kl-bucket1",
"arn:aws:s3:::kl-bucket2",
"arn:aws:s3:::kl-bucket3",
"arn:aws:s3:::kl-bucket4"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::kl-bucket3",
"arn:aws:s3:::kl-bucket4"
]
}
]
}
When I try to write to bucket4 I get an 403 error, however if I give full permission like below then I am able to write to bucket4.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
What could be the issue?
P.S. While this issue is similar to S3: How to grant access to multiple buckets? the actual problem is different.
The issue was that I also setting the Access control after PutObject, while the IAM policy was setting that permission.
#Asarluhi's answer helped.
Have modified the Action to:
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],

Proper (optimal) configuration of S3 Bucket Policy with IAM User

I'd have some experience with S3 bucket policies but recently I've started experimenting with IAM users/groups and S3 bucket ACLs. What bothers me is that I fail to understand how they work together. Who overwrites what? What I want to accomplish is to have specific IAM user (with credentials) that will be used as for uploading in my application. I've attached IAM Policy to it that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
This policy is attached to the IAM user. Then I've created following policy on S3 Bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DefaultPrivate",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::xxxxx-xxxxxx-xxxx/*"
},
{
"Sid": "ThumbnailAndGaleryReadOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxx-xxx-xxxx-xxxx/*/xxxxx/*",
"arn:aws:s3:::xxxxx-xxxxx-xxxxx/*/xxxxxxx/*"
]
},
{
"Sid": "S3UploaderWrite",
"Effect": "Allow",
"Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::xxxxxxxxxxxx/*"
}
]
}
Unfortunately as long as "Deny" block is present in the S3 policy - it doesn't allow my S3 user to upload files. Is it possible that I can't "override" Deny for specific user with the "Allow" block (IAM identifier is ok - I've double checked). Removing "Deny" blocks get it to work but ... That's not the point.
Any comments about the issue? How to explicitly deny everything and then allow only certain actions for certain IAM users/groups/roles ?
Thanks.
U could remove deny principal *. U could specify ur denied user or roles like "Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"}. Its solve ur problem.