here is the scenario.
AWS accountA has an S3 bucket.
AWS acountB has cognito user pool and cognito identity set up.
Also accountB is running a amplify app (so there is a fixed origin url)
I want to allow logged users from accountB to put/get objects from bucket in AccountA.
How do I configure the bucket to allow that?
How do I configure the identity pool?
This is simple, the bucket would need to be updated to include a bucket policy that grants access to the role that the group in the identity pool uses.
Once this is done you would need to update the policy on the IAM role to grant access to the bucket referencing the actions and resources as if they're in your account.
Take a look at the How can I provide cross-account access to objects that are in Amazon S3 buckets? article to get in depth instructions for enabling cross account support for the S3 bucket.
Related
I'm trying to understand the AWS Amplify documentation section "Using Amazon S3". It says:
If you set up your Cognito resources manually, the roles will need to be given permission to access the S3 bucket.
There are two roles created by Cognito: an Auth_Role that grants signed-in-user-level bucket access and an Unauth_Role that allows unauthenticated access to resources. Attach the corresponding policies to each role for proper S3 access. Replace {enter bucket name} with the correct S3 bucket.
And then the docs provide JSON examples of Policies for Auth_Role and Unauth_Role. What's confusing me is that when I go into my Roles in my IAM console, I have the following:
amplify--dev-153155-authRole (contains AppSync resources)
amplify--dev-153155-authRole-idp (log group resources)
amplify--dev-153155-unauthRole (empty)
Neither of which contain anything like the JSON examples. The "...authRole" Policy contains actions/resources concerning AppSync, but nothing to do with S3. Likewise for the other two. I expected to find permissions to allow my Amplify app to get/store S3 items, otherwise how is it able to currently do it?
So my questions are:
How do I create and attach the policies provided in the above documentation? Do I simply paste the JSON into new policies in my IAM console, and attach them to the Auth_Role?
Where are the default permissions stored? I have set up an amplify app and added S3 with amplify add storage. I can connect to the S3 bucket to add and retrieve files - so presumably there must be existing Polices. But my Auth_Role contains no Policies that reference S3?
I have an S3 bucket, and I want to know which AWS resources have permission to access it (security audit). There is nothing in the bucket policy itself - permissions are defined using IAM policies on the resources.
I have a LOT of different components on this project. Is there a way to find all the resources that have permissions for this bucket? Or do I have to check the IAM policies on every single resource in the account?
After creating an S3 bucket in AWS - I want to find out how permissions for Read and Write access to the S3 bucket should be provided?
I am thinking that IAM user permissions and S3 bucket permissions are different. What I am mean is - an IAM user with no permissions on AWS can be granted access to the S3 bucket by just adding him to the S3 buckets permissions for read or read+write accordingly. And S3 permissions have got nothing to do with IAM permissions>
Is the above understanding correct? Please correct and elaborate if the above is wrong?
And S3 permissions have got nothing to do with IAM permissions
This is not the case. The effective permission for the bucket and its objects are union of the IAM identity based permissions (i.e. those attached to IAM user,role, group) plus bucket policies plus other permissions (SCPs, IAM boundaries), which I don't mention for simplicity.
By default bucket and objects are private. You can Allow access to them using either IAM policies, bucket policies or both. Effective permissions will be the union of all these individual permissions. This means that you can use bucket policy to grant access to object1 and IAM policy to grant access to object2 to the same IAM user. The said user will be able to access both objects.
This behavior changes when there is Deny, as deny always wins. So an IAM user can have Allow in IAM policies to a given bucket, but the bucket can have Deny for that user. The result will be Deny always.
Subsequently, all these mean that bucket polices and IAM permissions should be considered together and are inter-connected with each other. Thus, you can't say that "S3 permissions have got nothing to do with IAM permissions".
An IAM User has no permissions by default. If they wish to do anything via an authenticated API call, they must be granted permission to do so.
Even if an Amazon S3 bucket policy grants access to an IAM User, they cannot access content in Amazon S3 unless their IAM permissions allow them to make the associated API call (eg ListBuckets or GetObject).
Please note that I am referring to an authenticated API call, not an Anonymous HTTP requests via a web browser URL.
A Bucket Policy can grant "public access" by referring to "Principal": "*" (which means that even unauthenticated users can retrieve content via a URL), or it can grant access to specific IAM Users and IAM Roles. However, if that user/role doesn't have permission to call any S3 Actions, then they cannot access the bucket.
A Deny policy from either IAM or a Bucket Policy takes precedence over Allow. So, an IAM User with permission to access a bucket can be denied by the Bucket Policy, and vice versa.
In AWS IAM is the place to generate all policies and to assign them to users and/or roles.
As a general rule, AWS recommends using S3 bucket policies or IAM policies for access control.
"S3 ACLs are a legacy access control mechanism that predates IAM. However, if you already use S3 ACLs and you find them sufficient,
there is no need to change."
By default, a user/role is assuming the policies provided by an SCP which stands for "service control policy". It is very similar to the policies you probably faced but this is provided by the account level/or organization level.
Among all options to generate and assume policies, there is a logical "and" which mean that in case there is at least 1 "deny" among the policies it will restrict access of a user/role to a specific bucket for instance in your case
I have a Cognito pool / Federated identity setup with users receiving temporary IAM credentials via AWS Amplify. These users have access to getObject from a couple S3 buckets even though:
The buckets have all public access disabled
The buckets policy page is blank
The IAM role associated to the Cognito groups that these users are members of (Trust Relationship with cognito-identity.amazonaws.com) have no policies attached that grant any S3 permissions. Policies attached are only for AppSync, Cognito, and APIGateway
If I create a new bucket and point getObject at a contained object, the users get 403 Forbidden, an indication that some bucket-specific policy somewhere is granting access. Problem is we have so many policies and roles, many used in production, so I can't simply do on/off testing to narrow it down.
Is there a way somehow to trace what policy/role is providing access for a specific S3 getObject request?
EDIT I've run the IAM Policy Simulator for the role associated with the Cognito groups and it gives denied for the objects in question.
The objects I'm trying to have access correctly blocked for have no permissions set for them. The buckets have:
Block new public ACLs and uploading public objects (Recommended): True
Remove public access granted through public ACLs (Recommended): True
Block new public bucket policies (Recommended): True
Block public and cross-account access if bucket has public policies (Recommended): True
UPDATE I've added cloudtrail logging to my buckets. While an event with eventname = 'GetObject' is logged for any downloads I do from the bucket via console, no events are logged for s3.getObject downloads via the AWS javascript SDK. How can I get these events to log?
Use CloudTrail to log Amazon S3 API Calls.
An event logged in CloudTrail for S3 actions includes information about the requested action, the date and time of the action, request parameters, and the user identity, for example:
arn:aws:iam::123456789012:user/Alice
arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName
I have been reading a number of docs and watched number of videos, but I am still very confused about IAM Roles and Bucket policies. Here is what confuses me:
1) I create a bucket. At that time I can make it public or keep it private. If I make it public, then anyone, or any Application, can "see" the objects in the bucket. I think the permissions can be set to add/delete/get/list objects in the bucket. If this is the case, then why do I ever need to add any IAM Role for S3 buckets, or, add any Bucket policy (???)
2) At the time I create a bucket, can I give very specific permissions to only certain users/applications/EC2 instances etc to all or part of the bucket? e.g. App1 on EC2-X can access subfolder A in bucket B1.
3) Coming to IAM Roles, an EC2 role that gives full S3 access- what does it mean? Full access to any bucket? How can I restrict an app running on an EC2 to only certain buckets, with only certain restricted permissions (see #2) above)? Do all Apps on the EC2 have full access to all buckets? At the time of creating a bucket, can the permissions be so set that an IAM Role can be overruled?
4) Finally, what do Bucket Policies do in addition to the above IAM Roles? e.g is 'AllowS3FullAccess' a "Bucket Policy", or an "IAM Policy"? Why differentiate between types of policies- policies are just that- they define some permissions/rules on some objects/resources,as I see it.
Thanks for any clarifications.
- a newcomer to AWS
I think you are confusing permissions for resources with IAM entities.
i) There are resources (S3 bucket, EC2 instances etc.) owned by the AWS account and these resources can be accessed by IAM users, IAM roles or other AWS Services (can be from same or different account)
ii) We manage who can access and their permission level with policies
iii) Policies can be identity based (attached to IAM user/group/role) or resource based (attached to S3 bucket, SNS topic)
iv) Resource based policy will have a Principal element but the identity based policies will not have that (because the attached IAM entity is the Principal)
v) Permissions start from default deny, allow overrides the default deny and an explicit deny overrides any allow
vi) Final access will be determined by combination of all policies
To answer your questions:
1> We cannot add (or attach) an IAM role with an S3 bucket. If you want your bucket should be public (which is not recommended but need to do it till some extent if it's in use for static website), then you can keep it public
2> It is not possible while creating the bucket. You have to do it after creating the bucket via IAM and/or S3 bucket policy
3> If an IAM role has AmazonS3FullAccess, the role can (Effect:Allow) call any S3 API (s3:) for any S3 resource (Resource:) in your account (provided they don't have cross account access).
If multiple applications run on an instance with an IAM role attached and are using credentials provided by the role, their permission will be same.
4> I don't know where you got the reference AllowS3FullAccess but we cannot confirm unless we know the exact JSON. If it is attached to a bucket or has the Principal element, it is a bucket policy.
You can use IAM and Bucket policies based on your need. Usually bucket policies are used for cross account access or if you want to manage S3 permission policies in a single place.