AWS CrossAccount S3 PutObject from Lambda in another account - amazon-web-services

I am trying to put a text file from Lambda which is in Account A to S3 bucket in account B. S3 bucket(test-bucket) is having AWS-KMS encryption enabled. I added below permissions :
Added below bucket policy to S3 bucket in Account B:
{"Version": "2012-10-17",
"Id": "ExamplePolicy",
"Statement": [
{
"Sid": "ExampleStmt",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
Added below policy in KMS key:
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Added below Inline policy in Account A - Lambda Role and gave access to KMS key:
{"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": [
"arn:aws:kms:us-west-2:AccountB:key/KMS-ID"
]
}
]
}
Files are also uploading in Account B S3 Bucket but not able to view/download any of those files. Gets this error:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5H3KEXCJ7YSCJS</RequestId>
<HostId>hqwavZZo6D0asdddcvfff+prEtoBCwTFH0AYtzzzzzztqAaPflzs85aaaaa=</HostId>
</Error>
When I checks the file properties it has : Server-side encryption- Access denied.
Don't know what am I missing here. Someone please guide.

One thing missing in Account A - Lambda Role is - it should have permission to access the bucket in account B even though the bucket policy in Account-B allows it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::AccountABucketName"
"arn:aws:s3:::AccountABucketName/*"
]
}
]
}
And to List the files in the bucket you should also add "Resource": "arn:aws:s3:::test-bucket as well

I found the solution. I only needed to add ACL='bucket-owner-full-control' in the put_object. Below is the complete boto3 cmd.
s3.put_object(
ACL='bucket-owner-full-control'
Body=processed_content,
Bucket=processed_bucket,
Key=processed_key)

Related

AWS IAM Role Policy Issue on Media Convert Service [ Cannot open input file [Failed to read data: AssumeRole failed]]]

I am struggling with AWS IAM Role Policies, I am following a tutorial for Lambda function to read from s3 bucket event when a new file is uploaded and send it to AWS MediaConvert to convert the video file.
Lambda function is being able to read from s3 in test but it fails the job at MediaConvert.
I have set the policies to the roles and also gave inline policies but still I am unable to get it working.
AWS Elemental MediaConvert Screenshot
Policies set for IAM ROLE
IAM Policies
Json for inline policy
lambda-s3-policy-inlinepolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-mybucket-01/*"
]
}
]
}
Policy Summary
PolicySummaryImg
VodLambdaRole
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Logging"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::myAccountID:role/my-lambda-role"
],
"Effect": "Allow",
"Sid": "PassRole"
},
{
"Action": [
"mediaconvert:*"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "MediaConvertService"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::myAccountID:role/my-lambda-role"
}
]
}
PolicySummary
Make sure that the IAM Role assigned to the MediaConvert job has a Trust Policy that trusts MediaConvert:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This is normally generated automatically when you create an IAM Role in the management console and select MediaConvert as the Service.

AWS IAM bucket permissions access denied

Has anyone encountered the situation when I use manage policies on a user, It works but when I use inline policy it says access denied. I am giving Read access to a bucket for IAM user that is it can only access that bucket.
Manage Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::mybucketname/*"
}
]
}
I also tried this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
Your last policy should be fine for direct access to the bucket as explained in:
How can I grant a user Amazon S3 console access to only a certain bucket or folder?
For console access, additional permissions are required, as shown in:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Specifically the policy should like like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
Amazons3ReadonlyAccess has all the above permissions, your inline policy does not.

trouble with AWS S3 Bucket policty

i've tried to add this policy to my newly created S3 Bucket
{
"Id": "Policy1548665682202",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1548665490985",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::darbazar-invoices-logs",
"Principal": {
"AWS": [
"fluentd.darbazar.invoices.user"
]
}
},
{
"Sid": "Stmt1548665526321",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::darbazar-invoices-logs",
"Principal": {
"AWS": [
"testavi.uzir"
]
}
}
]
}
here u can see 2 users, 1 user has full access and 1 user has only 1 Permission, but if i click save, the Invalid principal in policy warning has returned to my screen
why? i use the Official AWS S3 policy generator to generate this policy and this principal is exist in my IAM

Allow IAM user to access single s3 bucket

I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.
Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html

Amazon CLI won't allow me to list objects

I'm trying to copy contents of an S3 bucket to another bucket on another account, and I wanted to use the CLI to do this. So I set up a bucket policy on the source bucket, allowing a IAM user in the destination account to perform all S3 actions, but it keeps complaining that the ListObjects operation is denied.
I've tried Google, but I can't tell what would be the problem with my policy compared to the solutions I find. Even if I make the source bucket public (and can list it in a browser), it still gives me access denied.
What to do, what to do? Here's my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:user/USER"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::SOURCE",
"arn:aws:s3:::SOURCE/*"
]
}
]
}
Please try using below policy,
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "CrossAccountList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Sid": "CrossAccountS3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
You can read the full steps here
Another read here