We Keep Coding

How to update the IAM policy that IAM role to have the same permission set the IPs have?

How to update the IAM policy below so that the IAM role, arn:aws:iam::7574333677569:role/dev-abc-webserver, also have permissions?
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}
]
}
The issue I faced is that The IAM role doesn't have permission with it currently,
I want the IAM role to have the same permission set as the IPs have.
We don't need to change the policy
, We need to expand what it already grants access to the provided IAM role.
So ""Condition": {" needs to be expanded so we are checking for our IPs or the IAM role.
I am not able to figure out how to provide access via the IAM role yet.
I did check some aws documentation but not able to figure it out .
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
Could anyone Help me with this issue, any help should be appreciated?

Since multiple conditions within a statement are always ANDed and never ORed you need a second statement to grant the permission to other entities. That statement will have a different Principal and the Condition can be removed.
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}, {
"Sid": "StmtForRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::7574333677569:role/dev-abc-webserver"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*"
}
]
}

Allow IAM user to access specific folder in AWS S3 Bucket to view and upload objects

I have multiple s3 buckets, i need to allow one s3 bucket folder access to IAM user to upload and view objects. can some one assist me how to do this.

If you wish to grant specific IAM User(s) access to particular folders within an Amazon S3 bucket, you can create an IAM Policy and attach it to the user.
From User policy examples - Amazon Simple Storage Service:
To grant each user access only to his or her folder, you can write a policy for each user and attach it individually. For example, you can attach the following policy to user Alice to allow her specific Amazon S3 permissions on the awsexamplebucket1/Alice folder.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::awsexamplebucket1/Alice/*"
},
{
"Sid": "AllowListBucketOfASpecificUserPrefix",
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::awsexamplebucket1",
"Condition": {
"StringLike": {
"s3:prefix": [
"Alice/*"
]
}
}
}
]
}
If you want to do this for multiple users, the easiest way is to create a single policy and attach it to an IAM Group, the put the users in the group. This policy will grant them access to a folder with the same name as their username:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::awsexamplebucket1/${aws:username}/*"
},
{
"Sid": "AllowListBucketOfASpecificUserPrefix",
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::awsexamplebucket1",
"Condition": {
"StringLike": {
"s3:prefix": [
"${aws:username}/*"
]
}
}
},
]
}

Restrict all access to a s3 bucket and allow 1 IAM user

As a plan to deprecate s3 objects, I am revoking all access apart from mine. I tried 2 ways but I see I am not able to see the bucket policy.
Error message from console:
You don’t have permission to get bucket policy
You or your AWS administrator must update your IAM permissions to allow s3:GetBucketPolicy. After you obtain the necessary permission, refresh the page. Learn more about Identity and access management in Amazon S3
First:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ck",
"arn:aws:s3:::k/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA"
]
}
}
}
]
}
Second:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::0220:user/an"
]
},
"Resource": [
"arn:aws:s3:::tes",
"arn:aws:s3:::tes/*"
]
}
],
"Version": "2012-10-17"
}

Does S3 provide any bucket policy to share the objects to IAM user for a limited time?

I want to share my bucket (sourcebucket) with an IAM User (testuser) for a limited time window. Does AWS provide any bucket policy so that I can share my bucket objects with the IAM User for a limited time frame?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::sourcebucket"
]
}
]
}

Does AWS provide any bucket policy so that I can share my bucket objects with the IAM User for a limited time frame?
Yes.
Check the DateGreaterThan and DateLessThan conditions and the aws:CurrentTime condition key. Here's an example, using the policy in your question as a base:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::sourcebucket"
],
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
}
}
]
}
Here are some useful links:
AWS Global Condition Context Keys: aws:CurrentTime
AWS: Allows Access Within Specific Dates

S3 Private Bucket

I'm trying to create a private S3 bucket with limited access. I only want myself as a user and an EC2 role to have access to the bucket. The purpose of the bucket is to store encrypted SSH keys that will be copied onto machines in an autoscaling group. Right now, when I run aws sync against the bucket, here is the output:
cogility#ip-10-10-200-113:~$ aws s3 sync s3://sshfolder.companycloud.com/cogility /home/cogility/.ssh
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa to ../cogility/.ssh/id_rsa An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
download failed: s3://sshfolder.companycloud.com/cogility/id_rsa.pub to ../cogility/.ssh/id_rsa.pub An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
I create the EC2 instances with an EC2 role with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Get*",
"kms:Describe*"
],
"Resource": "arn:aws:kms:us-west-2:0000000000:key/kms-id-01234567890"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sshfolder.companycloud.com/*",
"arn:aws:s3:::sshfolder.companycloud.com"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*",
"ec2:*",
"cloudwatch:*",
"autoscaling:*"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"lambda:List*",
"lambda:Invoke*",
"lambda:Get*"
],
"Resource": "*"
}
]
}
And here is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sshfolder.companycloud.com",
"arn:aws:s3:::sshfolder.companycloud.com/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id
"AROAXXXXXXXXXXXXXXXXX",
"AIDAXXXXXXXXXXXXXXXXX",
"AIDAXXXXXXXXXXXXXXXXX"
],
"aws:sourceVpce": "vpce-abc82480d"
},
"ArnNotLike": {
"aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sshfolder.companycloud.com",
"arn:aws:s3:::sshfolder.companycloud.com/*"
]
}
]
}
Any idea why I'm not able to access the S3 bucket from my EC2 instance?

Amazon S3 buckets are private by default. Therefore, one approach would be:
Do not use a Bucket Policy
Add permissions to your IAM User and the IAM Role to access the bucket
Alternatively:
Use a Bucket Policy to grant access to the IAM User and IAM Role
Both would be sufficient to meet your needs.
However, if you are further paranoid that somebody might accidentally grant access to the bucket (eg with s3:* and a principal of *), then your approach of explicitly Denying access to anyone other than that User & Role is a good approach.

deny trumps allow in your bucket policy. You need to use not principal to achieve this.
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::000000000000:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sshfolder.companycloud.com",
"arn:aws:s3:::sshfolder.companycloud.com/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAXXXXXXXXXXXXXXXXX", <-- autoscaling-ec2-role user id
"AROAXXXXXXXXXXXXXXXXX",
"AIDAXXXXXXXXXXXXXXXXX",
"AIDAXXXXXXXXXXXXXXXXX"
],
"aws:sourceVpce": "vpce-abc82480d"
},
"ArnNotLike": {
"aws:SourceArn": "arn:aws:sts::000000000000:assumed-role/autoscaling-ec2-role/"
}
}
}
]
It just inverts the principal element. You can similarly use NotAction and NotResource as appropriate. You could do away with your conditionals altogether and just use NotPrincipal for all of them, it's generally better practice than conditionals.
Here is a resource on it: https://aws.amazon.com/blogs/security/how-to-create-a-policy-that-whitelists-access-to-sensitive-amazon-s3-buckets/