i have the following configuration and I've already tried a lot of things. Can someone check it an say what might be the issue?
I've added the canonical account of the source to the destination bucket.
The replication is enabled on the source bucket. Is replicating the whole bucket.
Source bucket.
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "AWSSourcebucketWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Destination bucket
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::source_bucket_account:root"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Did you tried adding new file to your source bucket? Or update an existing file on source bucket? I think replication takes effect only on the items added or updated after enabling replication.
Related
I am attempting to deploy a SSM Inventory Collection and a Resource Data Sync via Cloudformation in 15 accounts. I am able to manually add each account by adding a statement in the central s3 bucket for proper access. I was wondering is there a way to create a policy that allows newly created AWS accounts in the future to have proper access without adding a statement to the s3 bucket policy. Below is the documentation I have followed. I was using this method to add each account below
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
Further in the documentation, I see you can create a resource data sync for accounts defined in AWS Organizations. But this still doesnt accomplish granting any new accounts where template gets deployed, access will be granted.
Creating an inventory resource data sync for accounts defined in AWS Organizations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}
I have played around with a few policies but doesn't seem to work
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}
Try this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}
I currently have a S3 bucket policy that ONLY allows GET access if the user agent matches "ALLOW_USER_AGENT"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
}
}
I want to modify this policy so that it allows GET access if the user agent matches "ALLOW_USER_AGENT" OR if the origin IP is 11.11.11.11
Here is my first crack at this policy. Is this the right policy? I want to allow GET access if 1 of these 2 statements are true (not both)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
},
{
"Sid": "SourceIP",
"Action": "s3:GetObject",
"Effect": "Deny",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
]
},
"Principal": {
"AWS": "*"
}
}
]
}
According to your requeriments the Allow/Deny rules should be:
C1 (condition 1): aws:UserAgent = ALLOW_USER_AGENT
C2 (condition 2): aws:SourceIp = 11.11.11.11/32
The corresponding bucket policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-if-both-conditions-are-true",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
},
"IpAddress": {
"aws:SourceIp": "11.11.11.11/32"
}
}
},
{
"Sid": "deny-if-neither-conditions-are-met",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.11.11.11/32"
},
"ForAnyValue:StringNotEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
}
}
}
]
}
I have tested this policy and works as expected. Additionally, I have updated the operator "ForAllValues" by "ForAnyValue".
Use the curl command with "-A" option to set any User Agent.
Reference:
Creating a condition with multiple keys or values
I am trying to find the solution for config s3-bucket-policy-grantee-check-conformance-pack showing noncompliance on this S3 Bucket Policy and can't seem to find a solution.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
I have restricted the read access on my entire bucket to specific IPs, e.g. 1.1.1.0 & 2.2.2.0 as per the bucket policy given below.
There's a file in it, s3://MYBUCKET/onefile.txt, to which I want to give another set of IPs read access, e.g. to 3.3.3.0 and 4.4.4.0. So that now onefile.txt can only be accessed by 3.3.3.0 and 4.4.4.0 but NOT by 1.1.1.0 & 2.2.2.0 or any other.
How can I accomplish that?
Current Permissions > Bucket Policy (e.g.)
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
Add explicit deny and allow statements for that file onefile.txt in addition to the existing statement in the Policy.
The updated bucket policy would look like,
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "MY RESTRICTED REQUESTS",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"3.3.3.0/20",
"4.4.4.0/22"
]
}
}
},
{
"Sid": "MY RESTRICTED REQUESTS_2",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/onefile.txt",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.1.1.0/20",
"2.2.2.0/22"
]
}
}
}
]
}
I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!
You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}