We Keep Coding

What's the right way to write an amazon s3 bucket policy?

I'm trying to upload an image from a .NET webservice to an amazon s3 bucket.
By using this public policy on the bucket i can do that:
{
"Id": "Policyxxxxxxxx",
"Version": "yyyy-MM-dd",
"Statement": [
{
"Sid": "xxxxxxxxxx",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::(bucketName)/*",
"Principal": "*"
}
] }
But when i try to give access only to my user/credentials like this:
{
"Id": "Policyxxxxxxxx",
"Version": "yyyy-MM-dd",
"Statement": [
{
"Sid": "xxxxxxxxxx",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::(bucketName)/*",
"Principal": {
"AWS": [
"arn:aws:iam::(accountID):user/(userName)"
]
}
}
]
}
i get "Accces Denied".
So what im doing wrong with the policy?

If you wish to grant access to an Amazon S3 bucket to a particular IAM User, you should put the policy on the IAM User itself rather than using a bucket policy.
For example, see: Create a single IAM user to access only specific S3 bucket

Why is this bucket policy being shown as public

I am relatively new to AWS.
So recently, we creates an AWS S3 bucket through the AWS console. Then we set the following policy on the bucket:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AddJPGImageFilter",
"Effect": "Allow",
"Principal": {
"AWS": "IAM user ARN"
},
"Action": "s3:PutObject",
"Resource": "bucket_name/*.jpg"
},
{
"Sid": "AddJPEGImageFilter",
"Effect": "Allow",
"Principal": {
"AWS": ""IAM user ARN""
},
"Action": "s3:PutObject",
"Resource": "bucket_name/*.jpeg"
},
{
"Sid": "AddPNGImageFilter",
"Effect": "Allow",
"Principal": {
"AWS": ""IAM user ARN""
},
"Action": "s3:PutObject",
"Resource": "bucket_name/*.png"
}
]
}
Now from what I understand the above policy means the resource would be accessible (with the S3:PutObject action allowed) to only the IAM user ARN mentioned in the Principal.
For it to be public, the Principal would need to be *.
Is my understanding correct ?
If yes, why is the AWS console still showing the above bucket as Public ?

AWS web console has page caching issues. Try logout, clear your cache and re-login again.
Thanks
Sanjog

S3 bucket access is locked

Its found that the S3 bucket in our account got applied with wrong bucket policy, now the access is denied for all users including root user
"bucketName": "somebucket",
"bucketPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt15348761457344",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::dhasg",
"Principal": "*"
},
{
"Sid": "Stmt153478299578",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::somebucket",
"Principal": "*"
}
]
We are not able to change the permission through AWS console and CLI and not able to delete the bucket also. How to fix it?

You should be able to edit the bucket policy as root. You will not be able to delete the bucket, even as root until you modify the policy.

AWS S3 sharing access to static website - 403 access denied

I've configured my bucket policy (for a static website hosted on an S3 bucket) so that another account can perform actions on this bucket. The policy looks something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket.com/*"
},
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000000:user/username"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket.com"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:user/username"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket.com/*"
}
]
}
The first object in "Statement" specifies that this bucket should be readable by the public, so that anyone can access the site (I am using Route 53 as well).
The second account is able to upload files to the bucket, however once he uploads a file, then access is restricted to that file, i.e. if he uploads index.html to the top-level directory of the bucket, then navigating to the website will produce a 403 access denied error.
I have looked into IAM roles, which I think may be related but would appreciate any help with this.

On Amazon S3 I'm able to give an individual object download rights but cannot for the entire bucket

I've got images on S3 that I'd like to share with my Rails app. I can get access to the images by setting the permission: Everybody - Open/Download on the S3 UI. I want to set this permission for all objects in the bucket. The bucket permission UI doesn't have the option of Open/Download for users. What is the action I need to assign in the bucket config command to allow this? Here is my current command:
{
"Version": "2008-10-17",
"Id": "anid",
"Statement": [
{
"Sid": "ansid",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::haggard/akey"
}
]
}

Your policy is probably wrong, this one is working fine for Everyone (Anonymous) users:
{
"Id": "Policy1416915063227",
"Statement": [
{
"Sid": "AddCannedAcl",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
I recommend to use the policy generator at the following link:
http://awspolicygen.s3.amazonaws.com/policygen.html