We Keep Coding

Which is more powerful, the authenticated user's role or the bucket's policy?

I have an identity pool which has the following policy attached to the authenticated users role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:CreateBucket"
],
"Resource": "arn:aws:s3:::*"
}
]
}
And I have the following bucket policy applied on an S3 bucket called testbucketoz123
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucketoz123",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
}
]
}
Correct me if I am missing something, but I think the above bucket policy allows just the user with the Cognito Identity ID "099702b2-0c2e-42ce-8e27-3012ab6032ad" to perform the actions "s3:PutObject" and "s3:GetObject" on all objects within the S3 bucket testbucketoz123. It also allows the same user to list the contents of the testbucketoz123 bucket.
My questions are:
Can any authenticated user access the 'testbucketoz123' bucket or just the Cognito User with the Cognito Identity ID 099702b2-0c2e-42ce-8e27-3012ab6032ad?
Note
I have set the same bucket policy, but the authenticated users were having the AWSS3FullAccess Permission, and the result was:
Every authenticated user has access to the 'testbucketoz123' bucket despite the bucket policy.
I assume that if a user has the AWSS3FullAccess policy, it would allow them full access to all S3 buckets within your account, regardless of any other policies that may be in place.
If so, how to limit access of a bucket to just one Cognito user? Thanks in advance

Bucket policies and user policies are two access policy options available for granting permission to your Amazon S3 resources.
This means either can Allow access, and your first policy allows access to testbucketoz123 and it's objects.
In addition to the Allow on aws:PrincipalTag/CognitoIdentityId you can add a corresponding Deny when the Condition is not met. However, be careful not to over-Deny Actions, otherwise your administrators will not be able to manage the bucket.
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
},
{
"Sid": "DenyNonCognitoUserAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
}

AWS policy to allow access only to a specific bucket folder

I am trying to create an IAM policy to allow a user access only to a specific folder in an S3 bucket.
How do I do this using visual policy editor?
In the resource section if I mention the arn for the folder, the user is being denied access to the whole bucket.

Here is a policy that grants access to a specific folder within a bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["folder1/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/folder1/*"]
}
]
}
Things to note:
The ListBucket operation that allows listing a bucket is a permission on the bucket itself (not a path). To restrict which folders they can list, the folder must be specified via the s3:prefix.
The GetObject and PutObject operations operate on objects, so the folder can be referenced in the ARN.
It is also possible to use IAM Policy Elements: Variables and Tags to refer to a username. This policy can be applied to an IAM Group and will allow each user access to a folder with their own name:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}

S3 PutObject Access Denied when deploying to

I want to create an IAM user whose sole job is to deploy to AWS S3 Static Website.
I have this policy given to my DeployUser:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is the issue I get when I deploy (I am using Github Actions for this):
upload failed: public/404.html to s3://www.<my-site-name>.com/404.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
In Github, I passed the access key and secret of the user to my Action. I am pretty sure it is using that user to do the transaction. When I give S3FullAccess, my user is able to do it just fine. But I want to create a user with the AWS actions it only needs.
Where can I see better logs of this IAM user's actions?

Based on the comments, the solution was to add PutObject in the backed policy for the DeployUser.

What is Wrong With My AWS Policy?

I am trying to give a programmatic IAM user access to a single bucket.
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Trying to programatically upload a file I got a 403.
I got this policy from here:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
There are no other policies attached to this user.

Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.
You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.

You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

Proper (optimal) configuration of S3 Bucket Policy with IAM User

I'd have some experience with S3 bucket policies but recently I've started experimenting with IAM users/groups and S3 bucket ACLs. What bothers me is that I fail to understand how they work together. Who overwrites what? What I want to accomplish is to have specific IAM user (with credentials) that will be used as for uploading in my application. I've attached IAM Policy to it that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
This policy is attached to the IAM user. Then I've created following policy on S3 Bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DefaultPrivate",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::xxxxx-xxxxxx-xxxx/*"
},
{
"Sid": "ThumbnailAndGaleryReadOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxx-xxx-xxxx-xxxx/*/xxxxx/*",
"arn:aws:s3:::xxxxx-xxxxx-xxxxx/*/xxxxxxx/*"
]
},
{
"Sid": "S3UploaderWrite",
"Effect": "Allow",
"Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::xxxxxxxxxxxx/*"
}
]
}
Unfortunately as long as "Deny" block is present in the S3 policy - it doesn't allow my S3 user to upload files. Is it possible that I can't "override" Deny for specific user with the "Allow" block (IAM identifier is ok - I've double checked). Removing "Deny" blocks get it to work but ... That's not the point.
Any comments about the issue? How to explicitly deny everything and then allow only certain actions for certain IAM users/groups/roles ?
Thanks.

U could remove deny principal *. U could specify ur denied user or roles like "Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"}. Its solve ur problem.