I have set up the following information:
Created an AWS S3 bucket and Uploaded some images into the particular folder
Created an AWS CloudFront web distribution:
Origin Domain Name: Selected S3 bucket from the list
Restrict Bucket Access: Yes
Origin Access Identity: Selected existed Identity
Grant Read Permissions on Bucket: Yes, Update Bucket Policy
AccessDenied
Access denied
I have got the signed URL from the above process like
image.png?policy=xxxxx#signature=xxx#Key-Pair-Id=XXXXXXX
but I couldn't access the URL
Sample JSON for cloud front policy
{
"Statement": [{
"Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png",
"Condition": {
"DateLessThan": {
"AWS:EpochTime": 1555021200
},
"IpAddress": {
"AWS:SourceIp": "0.0.0.0/0"
},
"DateGreaterThan": {
"AWS:EpochTime": 1554848400
}
}
}]
}
Added CloudFront bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name"
}
]
}
It looks like the AccessDenied error you're seeing has nothing to do with the steps you have mentioned, the Origin access identity it to allow CloudFront to access S3 using a special user using sigv4, using above steps, you'll see a allow statement added to the bucket policy.
If it's a error from S3, you'll see like 2 request ids, host and request Ids along with Access denied massage.
image.png?policy=xxxxx#signature=xxx#Key-Pair-Id=XXXXXXX
If you're seeing Access denied, the error is with CloudFront signed URL (restricted viewer access).
To see whats wrong with the generated CloudFront signed URL, try to base64 decode the policy value and see the Resource URL/expires etc are correct or not.
Related
I have a s3 bucket which does not have public access. I have a bucket policy but it was automatically generated when I connected a CDN to the bucket for a origin access Identity.
But thats all the policy has.
Bucket polices are dicks for me. Im wondering if this is in fact the problem or if it may be something else.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::shofi-mod/*"
}
]
}
for comparison here is the bucket policy of my other bucket that does have public access. I am looking at the two for clues of what it is I should do
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/shofi-stuff-bucket-user"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::shofi-stuff"
}
]
}
thank you so much kings
There's a few topics here.
The first bucket policy you have shown simply grants access to CloudFront via an Allow policy. It would not interfere with the pre-signed URL.
The second bucket policy (while not being directly relevant to your question) has an error in it. When using GetObject and PutObject, access must be granted to the contents of the bucket, no the bucket itself. (Whereas ListBucket does apply to the bucket.)
Therefore, the Resource should grant access to the bucket and the contents of the bucket:
"Resource": ["arn:aws:s3:::shofi-stuff", "arn:aws:s3:::shofi-stuff/*"]
As to why your pre-signed URL is not working, it would either be due to:
The underlying credentials (IAM User, IAM Role) that was used to generate the pre-signed URL does not have permission to perform the upload (perhaps due to a similar Resource problem), or
The pre-signed URL is being incorrectly generated
Uploading files through CloudFront to s3 bucket via a CloudFront Origin Access Identity runs successfully, however properties of the uploaded files are unable to be modified and some meta-data is unable to be accessed by the root user of my AWS account. I am able to get the files through the CloudFront endpoint, however I do not understand why I am not able to modify or access some fields of the uploaded files through my AWS root account via the AWS Management Console.
The default ACL in the s3 bucket is for the root user account as can be seen below:
I added in a second policy to my bucket just to ensure that the root user has explicit access to the files. The full bucket policy can be seen below:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity 00000000000000"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/stuff/",
"arn:aws:s3:::my-bucket/stuff/*",
"arn:aws:s3:::my-bucket/other-stuff/",
"arn:aws:s3:::my-bucket/other-stuff/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket/stuff/",
"arn:aws:s3:::my-bucket/stuff/*",
"arn:aws:s3:::my-bucket/other-stuff/",
"arn:aws:s3:::my-bucket/other-stuff/*"
]
}
]
}
When I view a file that I have uploaded through CloudFront I am receiving a Access Denied for numerous options on the file overview tab:
I am also receiving more Access Denied from the file properties tab on the same file:
You need to pass ACL "Bucket-owner-full-control" with the PUT/POST call you're making with CloudFront link and also modify the Bucket policy for CloudFront to allow you PutobjectACL.
I have applied a policy to allow only connections from my VPC:
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
},
"Principal": "*"
}
]
}
But now I'm getting "Access Denied" even when I try to access it from the AWS Console from an instance in the given VPC:
I've read https://aws.amazon.com/premiumsupport/knowledge-center/s3-regain-access/, but unfortunately I use a company-provided federated login and I don't have access to the full root user.
My question is why can't I access the bucket even when inside the VPC?
Some similar questions that I found - Policy Denying Access On Amazon S3 and S3 VPC end point Bucket policy
To prevent your policy from being applied to your federated users in AWS console, you could "whitelist" them using the NotPrincipal element instead of Principal in your policy statement. For example:
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
},
"NotPrincipal": {
"Federated": "arn:aws:iam::YOUR-AWS-ACCOUNT-ID:saml-provider/YOUR-PROVIDER-NAME"
}
}
]
}
Do you have a VPC endpoint for S3 set up?
There are two ways to access objects in S3. One is through the AWS console and the other is through HTTPS calls to the S3 object.
If you're trying to access the bucket from the AWS console, then permission is governed by your IAM user/role and bucket policy. You're using a federated login, so I'm assuming it's a role.
From an instance in VPC-111bbb222, log out of the AWS console and try to access an object in that bucket using the HTTPS URL.
I have read/write/admin access to an S3 bucket I created. I can create object in there and delete them as expected.
Other folders exist on the bucket that were transferred there from another AWS account. I can't download any items from these folders.
When I click on the files there is info stating "Server side encryption Access denied". When I attempt to remove this encryption it fails with the message:
Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 93A26842904FFB2D; S3 Extended Request ID: OGQfxPPcd6OonP/CrCqfCIRQlMmsc8DwmeA4tygTGuEq18RbIx/psLiOfEdZHWbItpsI+M1yksQ=)
I'm confused as to what the issue is. I am the root user/owner of the bucket and would have though I would be able to change the permissions/encryption of this material?
Thanks
You must ensure that you remain the owner of the files in the S3 bucket and not the other AWS accounts that upload to it.
Example S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowNewDataToBeUploaded",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*"
},{
"Sid": "ensureThatWeHaveOwnershipOfAllDataUploaded",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
The external account must also use the x-amz-acl header in their request:
ObjectMetadata metaData = new ObjectMetadata();
metaData.setContentLength(byteArrayLength);
metaData.setHeader("x-amz-acl", "bucket-owner-full-control");
s3Client.putObject(new PutObjectRequest(bucketNameAndFolder, fileKey, fileContentAsInputStream, metaData));
Additional reading:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
AWS S3 Server side encryption Access denied error
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTacl.html
This is a interesting problem. I've seen this before when the KMS key that is required to decrypt the files isn't available/accessible. You can try moving the KMS key from the old account to the new account or making the key accessible from the old account.
https://aws.amazon.com/blogs/security/share-custom-encryption-keys-more-securely-between-accounts-by-using-aws-key-management-service/
I have a webpage hosted in S3 which is to be accessed only by specific users within the account. For testing purpose, I added below bucket policy which has my iam arn specified in the Principal but I'm getting access denied error when trying to access the page (which is in that bucket) via S3 url https://s3.amazonaws.com/..... despite being signed in.
Can you please let me know what i'm doing wrong here.
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "Policy1484430450679",
"Statement": [
{
"Sid": "Stmt1484430445422",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:user/testuser"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::testbucket/*"
}
]}
If I give Principal as '*', then the webpage is accessible via S3 url.