FileNotFoundException: No such file or directory 's3 - amazon-web-services

I am trying to get Nexus data which is stored in my S3 bucket mbop-devo account. S3 bucket where nexus service is writing data is in mbop-devo account. Bucket policy is pasted below.
Now I want to get data into another S3 bucket in my own AWS account korgak. Inside korgak account I have assumed nexus role. When I am trying to SQL query, in output, it is returning my nexus data name. But when select query is running, its giving error:
Caused by: java.io.FileNotFoundException: No such file or directory 's3://mbop-na-preprod-nexus/mbopCustomerData/00242/2018-12-28T0041/PT1M/a403dc78-aded-46c9-b424-18344564438d.gz'
File is present in S3 bucket I am not sure where is the permission is missing
S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NexusSystemPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::255137427906:role/EmrEc2Instance"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::mbop-na-preprod-nexus/*",
"arn:aws:s3:::mbop-na-preprod-nexus"
]
},
{
"Sid": "CrossAccountPermissions1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::255137427906:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mbop-na-preprod-nexus"
]
},
{
"Sid": "CrossAccountPermissions2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::997380610533:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mbop-na-preprod-nexus"
]
},
{
"Sid": "CrossAccountPermissions3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::997380610533:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mbop-na-preprod-nexus/*"
]
},
{
"Sid": "CrossAccountPermissions4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::255137427906:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mbop-na-preprod-nexus/*"
]
}
]
}

Related

codedeploy unable to access s3

I have a codepipeline on Account A and codedeployment group on Account B. I'm seeing the below error once the codedeployment group start the trigger
The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.
I was referring to this document provided by aws for aws cross-account deployment using codepipeline, do I need to configure anything other than the info provided in the document?
policies attached to testcrss role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
Bucket policy on Account A
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::AccountAbucket"
},
{
"Sid": "Cross-account permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcrss"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
Trust Relationship for Role testcrss
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

The issue was the KMS key which was added to Account B was incorrect, this key is required to access the s3 bucket on Account A.
KMS key should be the same as the KMS key attached to the codepipeline on Account A

Granting full control permission on all sub-folders inside S3 bucket (excluding parent )

I have an S3 bucket called my-bucket... I have several sub-folders inside this bucket, let's call them: sub-folder1, sub-folder2, etc
I want my-bucket-user to have read permission to the bucket and full control permission to all of the sub-folders (so this user cannot write at the root level).
I have tried the following bucket policy, which specifically grants permission on each of the sub folders... but this policy would become too long if I have a lot of sub-folders.
{
"Id": "MyBucketPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListPermissionOnMyBucket",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder1/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder2",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder2/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
}
]
}
Is there a better way of writing this policy?

This policy permits listing the entire contents of the bucket, but only uploading/downloading to a sub-folder (not the root of the bucket):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*/*"
}
]
}
Basically, the expression my-bucket/*/* forces the requirement of a / in the Key of the object, meaning it is in a sub-folder.

How to merge AWS S3 bucket policies?

We have an existing S3 bucket policy in production:
{
"Version": "2012-10-17",
"Id": "Policy[redacted]",
"Statement": [
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production/*"
},
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production"
},
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mysite-production/*"
}
]
}
We have another 3rd party service we want to grant access which requires:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
I've tried merging the ListAllMyBuckets and GetBucketLocation into the final section of our original policy but that yields "Policy has invalid action" errors:
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mysite-production/*"
}
How can I merge these into one cohesive policy? Or is it possible for a bucket to have two policies?
Thanks in advance!

You can actually apply both IAM policies and S3 bucket policies
simultaneously, with the ultimate authorization being the least-privilege union of all the permissions.
Source: https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Create AWS Access Policy to Only 1 S3 Bucket

I'm trying to create a policy that allows access to only 1 bucket for our clients' WordPress backups using BackWPUp
This is after noticing that the default S3 Full Access policy allows full access to ALL buckets!
I tried following this article here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html
The policy looks like this (replaced the bucket name to an appropriate one) and it's not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
Receiving Error: S3 Service API: Access Denied
Then, I tried a simplified version:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyID",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Still no luck, with the same error. Any ideas? What am I missing?

Turns out I needed s3:ListBucketMultipartUploads and s3:GetBucketLocation to get it working properly.
Final version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": "s3:*"
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}

AWS S3 storage permission denied from Elastic Beanstalk

I'm trying to access to one of my S3 storage buckets from my EC2 instance deployed by ElasticBeanstalk. My EC2 instance belongs to aws-elasticbeanstalk-ec2-role and I have granted this role with AmazonS3FullAccess policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Then the bucket policy is as follows:
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*"
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
When I try to access the bucket from an SSH connection or through a script inside .ebextensions I receive an Access Denied 403 error. I tried making the files public and using the same commands and I worked perfectly, but the files I need can't be public.
I think I have the correct policies for both the bucket and the EC2 role. I might be forgetting some detail though.
Any help will be welcomed. Thank you folks in advance!

So based on my knowledge and previous issues I experienced, your bucket policy is incorrect.
It isn't valid because ListBucket and ListBucketVersions actions must be applied to bucket name, not prefix.
Here is my corrected policy that should work;
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*",
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-anything",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
Useful docs to reference to for the future -> AWS s3 docs