I am logged in AWS with admin privilege. I am trying to make a bucket public read, write. I have deselected these options. I also followed this one Duplicate and tried to update bucket policy, but getting access denied error. All those answers are from 2018.
The link that you referred is still working fine!
Along with "Bucket Public Access" option, you should paste the following bucket policy in "Bucket Policy":
{
"Version":"2012-10-17",
"Statement":[{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:GetObject",
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::your-bucket-arn-here/*"
]
}]
}
This grants both read and write operations into your bucket.
Please, remember to change your bucket's Amazon Resource Name (arn) where key in bucket policy points to "Resource".
You can find your bucket's arn above bucket policy paste field.
Also, you may make use of AWS policies generator for further access grants.
I hope I might help.
If your bucket policy is using the following then at least this is setup to allow public read and write. Be aware this is anonymous so anyone can perform a read or write to the bucket, you will still be responsible for this.
{
"Version":"2012-10-17",
"Statement":[{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:GetObject",
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::bucketname/*"
]
}]
}
Be aware that if ACLs are involved you would also need to apply the permissions of s3:PutObjectAcl. In addition the ACL would need to grant the public read/write which would be counterintuitive as you're using a bucket policy to do this.
If you're getting access denied when updating the bucket policy your user is prohibited from performing the action.
There are a few reasons why this could occur:
Your IAM user does not have the IAM policy permissions.
Your account is part of an AWS organisation that is using an SCP (Service Control Policy) to prohibit applying a bucket policy.
Your IAM user has been configured with an IAM boundary that it prohibiting this access.
If you do not have the ability to modify your permissions or your account was given to you via a service you would need to communicate with them.
Related
How do i grant a customer read/write access to a specific S3 bucket in my AWS account without giving them access to any other buckets or resources?
They should be able to access this bucket from a powershell script in some ec2 instance of theirs.
found this policy
{
"Version": "2012-10-17",
"Id": "PolicyForBucketX",
"Statement": [
{
"Sid": "AllowCustomerRWAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-x/*"
}
]
}
Giving customer AWS access to my AWS's specific s3 bucket?
with this, they might be able to access s3 via their access key in powershell. However they might not be using access key hardcoded to use s3. They might be using STS with instance role for the ec2 to access their s3 resources.
Would this work still? Would they then have to add my bucket x into their instance role permissions buckets?
Any better way? I might/might not have details of their AWS resource IDs.
With Bucket policy and IAM policy (either for user or a role) you can restrict users/resources based on the requirement.
I agree with Maurice here as extent of restriction would heavily depend on what you specifically want to do.
You can also use CloudFront and restrict access to your bucket objects for users not managed by IAM.
In general you should think of access as two part task. On the side of the resource, you grant permissions to a resource, in this case you are doing that for a specific bucket (resource) for a cross account (principal). You're done.
Now, the identity that will access it will also needs permissions given to them by the account administrator (root) the same way. I.e. grant the user/role the permissions to
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
If they would like to use an instance which has AWS PowerShell installed, they can create an instance profile / role that has the above permissions, and they will be able to run the commands and access your bucket. That's right way to do it.
Regardless of how they access to the instance, when they make the api call from the instance to your bucket, AWS will first check to see if the caller (which could be instance profile or a role they assumed) has permissions to these actions (customer setup). It will then be checked to see if the resource allows these actions (your setup).
I'm not entirely sure if this is possible, but I would like to create a setup similar to what is described in:
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
by creating an S3 bucket with a subdirectory for each AWS user accessible only to that user.
My question is: is it possible to go a step further and specifically block users that might otherwise have full S3 permissions from being able to read from subdirectories that don't belong to them?
This solution would be ideal for me, except that several users have */* on S3 which I believe will override this policy for them, allowing them to see other users' data. Ideally this would be a bucket policy rather than an IAM group/role so that any user in the account automatically has these permissions applied without needing to be added to a group.
When an IAM user/role accesses an S3 bucket, all of the following policies are applied:
The user's or role's IAM policies,
If the user is in any groups, all of those group's policies, and
If the bucket being accessed has a bucket policy, that policy.
All of those policies work as follows:
All commands are denied, unless
There is an explicit allow in any policy, unless
There is an explicit deny in any policy.
Basically, what this means is that by default, access is denied, unless you add an "Allow" statement to a policy (IAM user/role, group, or bucket). But if you explicitly add a "Deny" statement (in any affecting policy), that "Deny" statement will overrule any other "Allow" statement.
Knowing this, you can apply a bucket policy to your S3 bucket with the correct "Deny" statements. These policy statements would overrule any other policy statements, applying to anyone accessing the bucket (even the super-est of super users).
So, you can try something like this:
{
"Version": "2012-10-17",
"Id": "blah",
"Statement": [
{
"Sid": "DenyListingOfUserFolder",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::block-test",
"Condition": {
"StringNotLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]
}
}
}
]
}
This policy will deny anyone from listing the contents from any folder aside from the root folder, "home" folder, and "home/their user name" folder.
Be careful when working with "Deny" staetments. The wrong policy could lock you out of your own bucket and you'll need AWS support to remove the policy for you.
In case of S3 buckets of AWS. Is there a way we can LOCK a bucket which allows to stop any WRITE/EDIT/DELETE operation on the bucket? Only READ access can be there.
Yes, that is possible.
There is a concept, called bucket policies, that allows you to configure both bucket-level and object-key-level policies for your resources. For example, you can grant read-only access to anonymous users by the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
I copy-pasted this example from the official documentation here. Please refer to it for more information.
Use case: In our application we need to give iam : putUserPolicy permissions to IAM entities. That is trivial. We can assign the policy mentioned below to the IAM entity to which we want to give iam : putUserPolicy permission
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"iam : putUserPolicy"
],
"Resource":"*"
}
]
}
Let's say we have another requirement and assign putUserPolicy to IAM user U1. This means that now U1 can assign ANY policy to ANY IAM user. The second "ANY" can be avoided by changing "Resource":"*" to "Resource":"user-arn", but how do we deal with the first ANY?
Is there a way to give "iam : putUserPolicy" permission such that putting only "iam : CreateUser" permission is allowed? Or perhaps only "iam : CreateUser" is blocked and putting rest all policies is allowed?
I went through the AWS documentation and I found conditions kind of helpful but I could not find any IAM service-specific keys and values though I did find some for EC2 and SNS.
As an example we can assign the following policy:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":"*",
"Condition":{"StringNotEquals":["s3:prefix":"arn:aws:s3:::BUCKET-NAME/home/"]}
}
]
}
which gives permissions to all other S3 folders and buckets except the home folder in a particular bucket.
Can we do something like this?
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["iam:PutUserPolicy"],
"Resource":"*",
"Condition":{"StringNotEquals":["iam:policy-contains":"iam:CreateUser"]}
}
]
}
AWS has just introduced Managed Policies for AWS Identity & Access Management, which provide a fresh approach to sharing and maintaining IAM policies across IAM entities, notably also including Delegating permissions management, see Controlling Access to Managed Policies:
Managed policies give you precise control over how your users can manage policies and manage permissions for others. You can separately control who can create, update, and delete policies, and who can attach and detach policies to and from principal entities (users, groups, and roles). You can also control which policies a user can attach or detach, and to and from which entities. [emphasis mine]
A typical scenario is that you give permissions to an account administrator to create, update, and delete policies. Then, you give permissions to a team leader or other limited administrator to attach and detach these policies [...].
Section Controlling Permissions for Attaching and Detaching Managed Policies provides an Example policy that allows attaching only specific managed policies to only specific groups or roles, which conceptually allows you to achieve what you are looking for:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*",
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*"
],
"Condition": {"ArnLike":
{"iam:PolicyArn": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"}
}
}
}
I have a bucket in S3 named home, and have multiple folders under it. I want to allow a specific user to be able to access to the folder1 under path: home/A/B/folder1. However I do not want him to see any other buckets and even other folders in this home bucket.
Can anyone help me with this policy?
Amazon S3 provides several User Policy Examples and the desired scenario is explored in Example: Allow each IAM user access to a folder in a bucket:
In this example, you want two IAM users, Alice and Bob, to have access to your bucket, examplebucket, so they can add, update, and delete objects. However, you want to restrict each user’s access to a single folder in the bucket.
As explained there, you can attach individual policies per user, however, it is meanwhile best addressed by using IAM Policy Variables:
Instead of attaching policies to individual users, though, you can
write a single policy that uses a policy variable and attach the
policy to a group. [...] The following example policy allows a set of
Amazon S3 permissions in the examplebucket/${aws:username} folder.
When the policy is evaluated, the policy variable ${aws:username} is
replaced by the requester's user name. [...]
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource":"arn:aws:s3:::examplebucket/${aws:username}/*"
}
]
}