Am trying to grant the cross account access for S3 bucket to work with lambda function . In that case , first trying assign appropriate bucket policy for both source and target buckets based on the following link .
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
Source Bucket Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::777777777:role/Staff"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::source-bucktet-testing-lambda/*",
"arn:aws:s3:::source-bucktet-testing-lambda"
]
}
]
}
Target Policy :
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: 777777777:role/Staff"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::source-bucktet-testing-lambda/*",
"arn:aws:s3:::source-bucktet-testing-lambda"
]
}]
}
But in Target bucket policy is telling , Policy has invalid resource. Can you please help me on this .
Related
Has anyone encountered the situation when I use manage policies on a user, It works but when I use inline policy it says access denied. I am giving Read access to a bucket for IAM user that is it can only access that bucket.
Manage Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::mybucketname/*"
}
]
}
I also tried this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
Your last policy should be fine for direct access to the bucket as explained in:
How can I grant a user Amazon S3 console access to only a certain bucket or folder?
For console access, additional permissions are required, as shown in:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Specifically the policy should like like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
Amazons3ReadonlyAccess has all the above permissions, your inline policy does not.
I have a public S3 bucket which has 2 folders inside it, public-folder and private-folder
I want everyone to access the public-folder and I want only user1 to access private-folder programmatically.
Inside the S3 bucket, I have added the following policy:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn-of-user1"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
from the IAM, I have created a policy for user1 to be able to access the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Is there a better way to achieve this goal? Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?
Wouldn't the following be easier and more natural to do if you have public-folder and private-folder. The following is based on the fact that buckets and its objects are private by default.
Bucket policy
It allows public access to public-folder:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/public-folder/*"
}
]
}
User policy
It allows putting, getting and deleting objects in private-folder, as well as listing the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?
Explicit deny overwrites any allow. Thus if you deny access to everyone, you can't use any IAM policy to allow access.
I am trying to add the below bucket policy that would deny access to the bucket for any (get, put, delete) operation except my AWS lambda. Can you please help why this is not working
{
"Version": "2012-10-17",
"Id": "Policy#####",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::#####-s3-file-upload/*"
],
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:5######1:function:temp_read_s3"
}
}
}
]
}
Step 1: Create lambda execution role for lambda.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::XXX-s3-file-upload",
"arn:aws:s3:::XXX-s3-file-upload/*"
]
}]
}
Step 2: Add that role to lambda
Step 3: Add that role to S3 policy to restrict only that role.
{
"Version": "2008-10-17",
"Statement": [{
"Sid": "S3 Access Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2XXXXXXXXX:role/executionrole"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sample_bucket",
"arn:aws:s3:::sample_bucket/*"
]
}]
}
This way you can restrict only specific lambda. For other lambda you can use different execution role.
Reference : https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/
solution for lambda is to add an assumed role. With a bit of digging and troubleshooting, I realized that the Lambda function assumes the role you provide, and that assumed role must also be added to the S3 bucket policy as below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "2",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::55account_id111:role/iam_policy_role",
"arn:aws:sts::55account_id111:assumed-role/#####_lambda_role/lambda_function"
]
},
"Action": [ "s3:GetObject",
"s3:PutObject",
"s3:DeleteObject" ]
"Resource": [
"arn:aws:s3:::######-bucketName/*",
"arn:aws:s3:::######-bucketName"
]
}
]
}
I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.
Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html
I want to download the whole bucket to a local directory. I tried:
aws s3 sync s3://my-bucket-name . --profile default
I got an authentication error:
download failed: s3://my-bucket-name/thumbnail.jpg to path to
local/thumbnail.jpg A client error (Unknown) occurred when calling the
GetObject operation: Unknown
I believe my IAM is configured correctly as it gives full access to S3 buckets. it works when I try another command, such as:
aws s3 ls
My inline policy for the IAM user is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::*"]
}
]
}
Did I miss something in this setup?
You could use the following policy if you want to access via cli as well as web console and restrict the bucket to the user and some basic actions on it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOURBUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObjects"
],
"Resource": [
"arn:aws:s3:::YOURBUCKET/*"
]
}
]
}
There is issue in the policy. Change the policy to below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}
]
}
If you want user to access just one bucket then use below policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::name-of-bucket/*"
}
]
}