Cross Account S3 Access for a public buket - amazon-web-services

Bucket Policy
{
"Version": "2012-10-17",
"Id": "Policy1589032691178",
"Statement": [
{
"Sid": "Stmt1589032265458",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}
This will allow read objects to all user.
IAM Policy attached to user ABC in AWS Account 1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKET>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}
With this setup public read of objects is there to anyone
And IAM policy is attached to user ABC, so ABC has access to list, put, get, delete
Now the question is
If someone in AWS Account 2 creates a user XYZ and attached same IAM policy as above
Will the XYZ user in AWS Account 2 be able to list, get, put, delete ?

What you posted looks like resource-based & IAM policies cross account access.
In order to allow user XYZ in account 2 to execute mentioned actions on bucket in account 1, apart from policy you specified for user XYZ, you need to additionally specify allowed actions for user XYZ in bucket's policy.
Alternative way is to allow cross-account IAM role assumption, where user in account 2 can assume role in account 1 granting desired access to the S3 bucket in account 1.
More information with examples can be found at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

Related

How to restrict all access to the AWS s3 bucket

I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket after that then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
now I am not sure what exactly I also enable or disable like public access or something
also, i don't know I have to give a policy to the bucket or access point
I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket
Use this policy to restrict all access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAll",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
Use this policy to restrict all access except for one IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptRole",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "IAM-ROLE-ARN"
}
}
},
{
"Sid": "AllowRole",
"Effect": "Allow",
"Principal": "IAM-ROLE-ARN",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}

Messed up bucket policy and not able to access the bucket anymore

I created an s3 bucket and gave the following bucket policy to it
{
"Version": "2012-10-17",
"Id": "Policy1586942250763",
"Statement": [
{
"Sid": "Stmt1586942249918",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accID:user/username1”
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
Obviously this would give access only to the user username1. Now username1 was deleted from IAM. Is there any way to recover access to this bucket. I have an IAM account with admin privileges but aws s3api delete-bucket-policy111 seems to be not working.
Only root user can do anything on that bucket now.

Assume AWS Role From User in Same Account

I'm a little confused about the requirements for assuming a role from an IAM user in the same AWS account.
Per this document: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html:
If the user is in the same account as the role, then you can do either
of the following:
Attach a policy to the user (identical to the previous user in a
different account).
Add the user as a principal directly in the role's trust policy.
I explicitly added an assume-role policy to the group granted to my user and it could not assume the noted role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789:role/some-role-name"
}
}
Once I added the account number as a principal to the trust policy of the target role, it started working though:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, I'm confused for 2 reasons:
Why didn't the first policy alone work given the documentation I've quoted?
The second bullet in the documentation says "add the user as a principal". I think I added the whole account though instead of the user. What is the syntax for adding just this user? I didn't come across it in the documents I read.
1) That looks fine to me, given that the account ID and the role name are correct. Can you add the exact error you're getting?
This is an actual example of one of my policies which let users who are granted this policy to assume the role developer in the accounts acc1, acc2, and acc3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::acc1:role/developer",
"arn:aws:iam::acc2:role/developer",
"arn:aws:iam::acc3:role/developer"
]
}
]
}
2) Instead of root, use the arn for the IAM user. Something along the lines of "arn:aws:iam::123456789:user/John"

Connecting Amazon S3 bucket to Other Server - IAM

I am trying to connect Amazon S3 to other services through Bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"arn:aws:iam::ACCOUNT-ID:user/augmen",
}
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::rajatv.input",
"arn:aws:s3:::rajatv.input/*"]
}
]
}
Still getting errors like:
This policy contains invalid Json
Invalid Bucket syntax
No Resources
It appears that you are wanting to give bucket access to a specific IAM User. If so, the best way is to put a policy on the IAM User themselves, so that the permissions apply only to them.
This policy would grant bucket access to whichever user has it as an IAM policy. To add it, go to the user, Add Inline Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitBucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::rajatv.input",
"arn:aws:s3:::rajatv.input/*"
]
}
]
}
Bucket Policies, which are applied to the bucket itself, are best used to grant access to everyone, whereas an IAM policy is best for granting permissions to specific IAM Users, Groups and Roles.
Principal needs to have this format:
"Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},

How can I create an AMAZON policy with permission to an user create another user with only permissions on S3?

I'm using this policy to a user that can create other users, but I need to restrict this user to only create users with permissions on S3, that's because, currently, he can create users with permissions on all services, like EC2 or IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
}
]
}
Are there any samples to create that policy with the restriction for users to create other users having permission only on S3?
Try this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}