I am trying to set up a simple AWS SFTP server with a scoped-down policy but keep getting permission denied errors when trying to put and get.
Here is IAM Role with generic S3 bucket access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::SOME-EXAMPLE-BUKCET"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
}
]
}
And this is the scoped-down policy which I attach to the user when I create it in the SFTP panel:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
The goal is for a user to log in and land in their home directory with read/write/delete permissions for just that directory. I've tried various policies from the following links but never quite get what I need:
Connecting to AWS Transfer for SFTP
https://docs.aws.amazon.com/transfer/latest/userguide/users.html
https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html
I always either get no access at all and everything is denied (i.e. can't even ls). Or I can ls but can't do anything else like mkdir, put, get, etc...
In the scoped-down policy, why do you use transfer:UserName in the ListBucket condition rather than transfer:HomeDirectory like in the Put/Get/DeleteObject statement? Is the HomeDirectory of the user the same as its username?
What happens when you try something like this?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeDirectory}/*",
"${transfer:HomeDirectory}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
Do not use ${transfer:Username} in the scoped down policy. Also, make sure you specify it as Policy key within secrets manager.
I have documented the full setup here in case you need to reference it - https://coderise.io/sftp-on-aws-with-username-and-password/
Related
im unable to add domain level privacy bucket policy with zencoder bucket policy. they work when i add one at a time but when i try to implement both it doesnt work. im just looking for a solution to implement both bucket polices in one bucket. i tried to add condition from the domain level privacy to zencoders bucket policy. but the domain level privacy stops working.
here is the bucket policies im trying to add .
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::newbbbb/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://www.vlogmo.com/*"
}
}
}
]
}
{
"Version": "2012-10-17",
"Id": "ZencoderBucketPolicy",
"Statement": [
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::MY-BUCKET/*"
},
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY-BUCKET"
}
]
}
im just looking for a solution to implement both bucket polices in one bucket
You can't do this. A bucket can have only one policy. So you have to join your two policies, into one by adding new Statement:
{
"Version": "2012-10-17",
"Id": "ZencoderBucketPolicy",
"Statement": [
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::MY-BUCKET/*"
},
{
"Sid": "Stmt1295042087538",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::395540211253:root"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY-BUCKET"
},
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::newbbbb/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://www.vlogmo.com/*"
}
}
}
]
}
Hi I follow the instruction of this answerd and got the same error.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1614469992506",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<S3_Name>/*"
}
]
}
I got the error:
Action does not apply to any resource(s) in statement
I check the documentation and I can't found any solution.
ListBucket should be on the bucket resource itself, where as the other Object Actions should be on the objects within the bucket. so, we need /* for all the objects of the bucket.
IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<S3_Name>/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<S3_Name>"
}
]
}
Bucket Policy:
Same as IAM Policy, except it has Principal attached.
"Principal":"*" or "Principal":{"AWS":"*"} will give public access and
"Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"} will give access to entire Aws Account.
Some details here and here
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<S3_Name>/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<S3_Name>"
}
]
}
you can try this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<S3_Name>",
"arn:aws:s3:::<S3_Name>/*"
]
}
]
}
I am trying to restrict user access at the object level in S3.
There are 2 folders in the s3 bucket. I am trying to give access to only one folder among the object.
The two folders are:
broker
carrier
This is the IAM Role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
But the user is able to access the carrier folder as well.
Could anyone suggest what am I missing?
If you add the following conditon:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
you user will not be able to enter carrier folder. It will still be visible in console. I don't think you can "hide" other folders, as this will break console access.
You can try the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket",
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
It has been 2 hours trying to figure it out. I have an IAM User s3readonly with following attached policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
and S3 Bucket Policy for MyBucket (changed names):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Read Only for s3readonly user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
However, even after so many changes I have arrived at above after, when I login as s3readonly, I get "Access Denied" in the S3 Dashboard
Can anyone help?
We have an existing S3 bucket policy in production:
{
"Version": "2012-10-17",
"Id": "Policy[redacted]",
"Statement": [
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production/*"
},
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production"
},
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mysite-production/*"
}
]
}
We have another 3rd party service we want to grant access which requires:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
I've tried merging the ListAllMyBuckets and GetBucketLocation into the final section of our original policy but that yields "Policy has invalid action" errors:
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mysite-production/*"
}
How can I merge these into one cohesive policy? Or is it possible for a bucket to have two policies?
Thanks in advance!
You can actually apply both IAM policies and S3 bucket policies
simultaneously, with the ultimate authorization being the least-privilege union of all the permissions.
Source: https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/