Amazon S3 Bucket Policy Block User Agent - amazon-web-services

I need to block a specific user agent from amazon s3. I'm fairly new to S3 and typically do this in the .htaccess file which I understand isn't possible with amazon.
I saw this Deny access to user agent to access a bucket in AWS S3. The solution seems to look something like this:
{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition":
{ "StringLike": { "aws:UserAgent": "*NSPlayer*" } }
}]
}
But, I would still like to allow access to the site to all other users except that user agent. My policy currently looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*"
}
]
}
I get invalid json when I try to implement it. So, I am just curious what is the correct way to format this? I would like to have public access but be able to block a few different user agents. Also, would the user agents be comma separated if I want to block multiple?
Thanks for the help it is much appreciated.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*"
},
{
"Sid": "DenyUserAgents",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*",
"Condition": {
"StringLike": {
"aws:UserAgent": ["*Firefox*", ... more UserAgents ...]
}
}
}
]
}

Related

IAM Policy for AWS File Transfer

I am trying to setup IAM policy on S3 based for aws file transfer (SFTP) protocol. Here is the requirement:
User should be able to put files to his/her own folder is. {transfer:username}/
While uploading, lambda will add tag "allowdownload":"no" by default.
We have some third party integration to carry approvals and once approved, new tag will be added to file "allowdownload":"Yes"
Business logic complete Step_1 through 3 are working except tag based policy which I have attached to AWS File Transfer server. Policy has conditions to allow/deny get files based on tag value but it seems not working.
As per requirement: files with tag "allowdownload":"Yes" should be allowed
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Effect": "Allow",
"Sid": "ReadWriteS3"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/${transfer:UserName}/*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Sid": "DenyMkdir",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucket/*/"
}
]
}
Here is bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/${transfer:UserName}/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/allowdownload": "yes"
}
}
},
{
"Sid": "Statement1",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/${transfer:UserName}/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/allowdownload": "no"
}
}
}
]
}
Also, I have block all public access is ON but still user is able to get files with allowdownload tag = no.
Anything wrong with below policy: Please advise.

Grant access for IAM policy to specific AWS Lightsail resources using tags

I'm trying to create an IAM policy so that the user can access Lightsail but only have access to specified instances. Ideally it would use tags so it's easy to maintain, but specifying individual instances would be fine.
I've tried various things, but they either make all instances disappear for the user (when logged in as the user to the web console), or leave all instances visible.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lightsail:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "lightsail:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/wordpress": "true"
}
}
}
]
}
And
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["lightsail:*"],
"Resource": ["*"]
},
{
"Sid": "DenyInstance",
"Action": ["lightsail:*"],
"Effect": "Deny",
"Resource": ["arn:aws:lightsail:us-east-1:861111111111:Instance/11111111-1b1b-1b1b-1b1b-11bb11bb1b1b"]
}
]
}

AWS S3 Allows reading of all objects except a specific folder

How can I allow reading of all objects except a single folder and its contents?
The rule below blocks me the whole bucket.. (can't read the bucket)
If this feature isn't possible, how can I allow reading on files at the root but deny on all subfolders?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolder",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder",
"arn:aws:s3:::my-bucket/my-folder/*"
]
}
]
}
My bucket strcture:
my-bucket
my-folder
object3
object1
object2
You can add an explicit Deny in your bucket policy for Listing objects that matches the prefix my-folder.
Edit: This policy will work only if the list bucket request contains the prefix.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolderRead",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*"
]
},
{
"Sid": "DenyOneFolderList",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition" : {
"StringEquals" : {
"s3:prefix": "my-folder"
}
}
}
]
}
The policy works correctly, though I would remove the Deny on arn:aws:s3:::my-bucket/my-folder because it's not useful.
I think the confusion here is that you are expecting this policy to prevent the IAM user listing and/or getting the objects under s3://my-bucket/my-folder/. It won't do that, specifically the listing part, and in fact you cannot do that. You can't control a user's ability to list the bucket at a granular level (e.g. below a specific prefix).
The policy will successfully prevent the user getting (as in downloading) objects under s3://my-bucket/my-folder/.

how to write a IAM policy to give full s3 access but one directory

I am trying to give all permissions on a single s3 bucket but a single folder. I am trying to use explicit deny the folder name being Beijing path is like
buck123-test/china/Beijing/. bucket name is buck123-test.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561641021576",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::buck123-test"
},
{
"Sid": "Stmt1561639869054",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing"
}
]
}
how can i achieve my requirement as the above policy is not working
Your policy is missing Allow actions for objects in your bucket.
What about ? (not tested myself, let's report if this works)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561641021576",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::buck123-test", "arn:aws:s3:::buck123-test/*"]
},
{
"Sid": "Stmt1561639869054",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing/*"
}
]
}
Note that you need the two resources. The bucket name only resource is required for ListBucket and other bucket level operations. The /* resource is required for object level operations like Put and Get
Revised answer, you were missing some critical pieces to the policy document, try this as it should work, but I have not tested this.
You can add additional actions if you want to allow users to GetObject, PutObject etc.
{
"Id": "Policy1561648158487",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561648106618",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing/*",
"Principal": "*"
},
{
"Sid": "Stmt1561648156125",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::buck123-test/*",
"Principal": "*"
}
]
}

S3 policy - public write but only authenticated read

What I am trying to do is to let (anonymous) users share files to a specified bucket. However, they should not be possible to READ the files, which are already there (and for all I care not even the ones they submitted themselves). The only account which should be able to list/get objects from the bucket should be the bucket owner.
Here is what I got so far:
{
"Version": "2012-10-17",
"Id": "PutOnlyPolicy",
"Statement": [
{
"Sid": "Allow_PublicPut",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myputbucket/*"
},
{
"Sid": "Deny_Read",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myputbucket/*"
},
{
"Sid": "Allow_BucketOwnerRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::myAWSAccountID:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myputbucket/*"
}
]
}
The above Policy enables me to write files to the bucket (f.e. via the android app S3anywhere), but I can't GET the objects, not even with my authenticated account.
Do you have any hints on how I could accomplish this? Thanks!
Anonymous users are not able to read a bucket content by default. So you should have only these lines in your policy:
{
"Version": "2012-10-17",
"Id": "PutOnlyPolicy",
"Statement": [
{
"Sid": "Allow_PublicPut",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myputbucket/*"
}
]
}
The deny statement in your policy takes precedence over everything else. The default is to deny everything that isn't specifically allowed, so you should be able to just remove the deny statement and all will work the way you want.
Policy looks good, I guess that problem into Principal, you can look how it use into documentation http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html. Probably you should use AccountNumber-WithoutHyphens