My problems are that S3 Properties Tab shows
When I click use this and then save, button is not active any more.It changes color and I can not do anything about it.
This is the content of my S3
My S3 policy
{
"Version": "2012-10-17",
"Id": "Policy1575283327440",
"Statement": [
{
"Sid": "Stmt1575283033809",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::gitlab-jekyll-*********/*"
},
{
"Sid": "Stmt1575283267330",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5771********:user/terraformadminuser"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::gitlab-jekyll-**********/*"
}
]
}
How to fix this? I can not show my bucket id because it has public access.
Type index.html to both input boxs, then you can save
Related
I am trying to setup IAM policy on S3 based for aws file transfer (SFTP) protocol. Here is the requirement:
User should be able to put files to his/her own folder is. {transfer:username}/
While uploading, lambda will add tag "allowdownload":"no" by default.
We have some third party integration to carry approvals and once approved, new tag will be added to file "allowdownload":"Yes"
Business logic complete Step_1 through 3 are working except tag based policy which I have attached to AWS File Transfer server. Policy has conditions to allow/deny get files based on tag value but it seems not working.
As per requirement: files with tag "allowdownload":"Yes" should be allowed
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Effect": "Allow",
"Sid": "ReadWriteS3"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket/${transfer:UserName}/*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Sid": "DenyMkdir",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucket/*/"
}
]
}
Here is bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/${transfer:UserName}/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/allowdownload": "yes"
}
}
},
{
"Sid": "Statement1",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/${transfer:UserName}/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/allowdownload": "no"
}
}
}
]
}
Also, I have block all public access is ON but still user is able to get files with allowdownload tag = no.
Anything wrong with below policy: Please advise.
I wanna create a S3 bucket that anyone can get object but only iam user can upload an object.
My bucket policy is like this.
Anyone can read objects, but cannot do delete, list, create action.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
I attached the below policy for a permission to upload object to a user and the group.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*" //fixed as #Marcin mentioned
}
]
}
The problem is that this user can list objects, delete object from javascript.
How can we allow this user to only upload object?
We use Wasabi storage by the way.
arn:aws:s3:::my_bucket is a bucket, not objects. Thus it should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny",
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny2",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}
I am trying to prevent the accidental deletion of my S3 bucket. Using the policy generator I came up with this policy:
{
"Id": "Policy1611547079478",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1611547073630",
"Action": [
"s3:DeleteBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Principal": "*",
}
]
}
However, when I attempt to save the policy I get the error:
Unknown Error An unexpected error occurred. API response Invalid policy syntax.
I already have a bucket policy in place to make the bucket public for hosting images. Here is the full code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
},
{
"Id": "Policy1611547079478",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1611547073630",
"Action": [
"s3:DeleteBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Principal": "*",
}
]
}
The public bucket policy works, when I add the deny delete bucket policy I get the error.
The bucket policy in your question has incorrect form. It should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
},
{
"Sid": "Stmt1611547073630",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::my-bucket-name"
}
]
}
Since in the first statement you are allowing public access, you will also have to disable Block all public access.
I need to block a specific user agent from amazon s3. I'm fairly new to S3 and typically do this in the .htaccess file which I understand isn't possible with amazon.
I saw this Deny access to user agent to access a bucket in AWS S3. The solution seems to look something like this:
{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition":
{ "StringLike": { "aws:UserAgent": "*NSPlayer*" } }
}]
}
But, I would still like to allow access to the site to all other users except that user agent. My policy currently looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*"
}
]
}
I get invalid json when I try to implement it. So, I am just curious what is the correct way to format this? I would like to have public access but be able to block a few different user agents. Also, would the user agents be comma separated if I want to block multiple?
Thanks for the help it is much appreciated.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*"
},
{
"Sid": "DenyUserAgents",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.examplesite.com/*",
"Condition": {
"StringLike": {
"aws:UserAgent": ["*Firefox*", ... more UserAgents ...]
}
}
}
]
}
How can I allow reading of all objects except a single folder and its contents?
The rule below blocks me the whole bucket.. (can't read the bucket)
If this feature isn't possible, how can I allow reading on files at the root but deny on all subfolders?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolder",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder",
"arn:aws:s3:::my-bucket/my-folder/*"
]
}
]
}
My bucket strcture:
my-bucket
my-folder
object3
object1
object2
You can add an explicit Deny in your bucket policy for Listing objects that matches the prefix my-folder.
Edit: This policy will work only if the list bucket request contains the prefix.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolderRead",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*"
]
},
{
"Sid": "DenyOneFolderList",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition" : {
"StringEquals" : {
"s3:prefix": "my-folder"
}
}
}
]
}
The policy works correctly, though I would remove the Deny on arn:aws:s3:::my-bucket/my-folder because it's not useful.
I think the confusion here is that you are expecting this policy to prevent the IAM user listing and/or getting the objects under s3://my-bucket/my-folder/. It won't do that, specifically the listing part, and in fact you cannot do that. You can't control a user's ability to list the bucket at a granular level (e.g. below a specific prefix).
The policy will successfully prevent the user getting (as in downloading) objects under s3://my-bucket/my-folder/.