I recently ran into a problem with IAM policies while using Code-Build. And I am trying to understand the difference between the following 2 policies and check if there are any security implications of using version 2 over version 1.
Version 1 doesn't work, so I decided to go with version 2. But why does version 2 work and why doesn't version 1 doesn't work?
Version 1 only gives access to the CodePipeline resource and allows to read and write to S3 bucket object.
However Version 2 gives access to all S3 buckets, doesn't it? Would this be considered a security loophole?
Version 1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}
Version 2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
"arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-ap-southeast-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
}
]
}
I have replicated the scenario by giving the restricted access to specific S3 Bucket.
Block 1: Allow required Amazon S3 console permissions Here i have granted CodePipeline to list all the buckets in the AWS account.
Block 2: Allow listing objects in root folders here my S3 Bucket Name is "aws-codestar-us-east-1-493865049436-larvel-test-pipe"
but i am surprised as when i followed the Steps from Creating CodePipeline to Create Build from the same Pipeline Console itself, i had got the same policy as your version 1 and it executed as well. However, as a next step, i gave a specific permission to a bucket in S3 as given below policy and it has worked. So in your version two rather than granting all permission to your resources Resource": "*" you can restrict a permission to a bucket only specific as described in below sample policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
"arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-east-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
}
]
}
Related
why this policy is not working? it allows all command on all resources but not deny on the selected folders! how can i resolve this kind of problem?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Banca",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Bilanci",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Bilanci/*",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Contenziosi",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Contenziosi/*",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi France/Affari societari",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi France/Affari societari/*",
]
},
{
"Sid": "Stmt1595519755000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::agdstorage/*",
"arn:aws:s3:::agdstorage"
]
}
]
}
Here is an example of using Deny. (I did not test this!)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::agdstorage"
],
"Condition": {
"StringNotLike": {
"s3:prefix": [
"Storage_WK/Agedi Monaco/Banca/*",
"Storage_WK/Agedi Monaco/Bilanci/*",
"Storage_WK/Agedi Monaco/Contenziosi/*",
"Storage_WK/Agedi France/Affari societari/*"
]
}
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::agdstorage/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Banca/*",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Bilanci/*",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi Monaco/Contenziosi/*",
"arn:aws:s3:::agdstorage/Storage_WK/Agedi France/Affari societari/*"
]
}
]
}
Note that ListBucket is controlled via the Prefix, so it is simply using StringNotLike.
For GetObject and PutObject, it is using the resources you listed.
The ListBucket command operates at the bucket-level, not at the object-level.
Here is an example of a policy that grants access only to a specific folder:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["David/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/David/*"]
}
]
}
Note that ListBucket references the Bucket, but limits access by specifying a Prefix.
This is different to GetObject and PutObject that can be limited by providing a path in Resource.
To know how each command operates, consult Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management and refer to the Resource Types column.
If possible, try to avoid using Deny since negative logic can sometimes be less obvious (just like this sentence). It is better to only grant the desired permissions, rather than granting everything and then denying some permissions. For example, the policy shown in your question actually grants permission to delete objects outside of the specified folders (eg at the root level) and to even delete the bucket itself (if it is empty).
If you are simply wanting to grant users access to their own folder, you can use IAM Policy Elements: Variables and Tags:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}
This automatically adjusts the policy based upon the username of the user, so they can access folders based on their username.
I have a folder structure in an s3 bucket (my-bucket) like this:
/folder1/
/folder2/subfolder/
/folder3/subfolder/subsubfolder/
file.ext
file2.ext
etc...
I want to be able to list, put and get all folders and objects in the root of the bucket and any subfolder (and subfolder of subfolder).
Here is my current policy for the user group that needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:List*"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Using this policy I can only get and put objects in the root of the bucket. But I also want to get and put objects into the folders within the bucket. These folder names are dynamic so I cannot have them in the policy. How do I do this? I know with S3 full access policy it work but not with my example on above. I just keep on getting Access Denied error when trying this.
Any help would be appreciated.
The full policy would look something like this. This works from AWS S3 console.
Notice, that I didn't add s3:DeleteObject. If you need that as well don't forget to add it besides s3:PutObject and s3:GetObject.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
I just setup my AWS S3.
My application works with full-admin-acces-keys, but because this can be risky, I want to setup an IAM-user with an IAM-group and allow only S3-stuff for him.
My bucket is located in eu-central-1 and its name is 'MYBCKET' in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MYBCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::MYBCKET/*"
]
}
]
}
This is NOT working. If I give the user the following policy it's working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
]
}
It has to be something with the resource for sure.
Can somebody explain to me what the resource consists of so that i can understand and hopefully find errors?
Just to tell you: I am sure I spelled my buckets name right and also I tried different combinations in the resource arn:aws:s3:::MYBCKET/* AND arn:aws:s3:::MYBCKET and some other that did not work.
Thanks for your answers and time.
I don't see anything wrong with your policy, if the intent is the user should access the bucket programatically.
If the user also needs to be able to access the policy thru the console, you could try this instead which will allow the user to list the buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3::: MYBCKET"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3::: MYBCKET/*"]
}
]
}
I am trying to resize my Image when user uploads an image to my bucket. The push notification of image is working. And lambda is running as well. However I cannot put object to the s3 bucket. It gives Access Denied error.
If my source bucket is source-bucket and destination is destination-bucket, the policy of the role associated with my lambda function is as follows:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::destination-bucket",
"arn:aws:s3:::destination-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::source-bucket",
"arn:aws:s3:::source-bucket/*"
]
}
]
}
Answer Update
Turns out I was updating the ACL and did not add the ACL put permission. So the following solved my problem:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::destination-bucket",
"arn:aws:s3:::destination-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::source-bucket",
"arn:aws:s3:::source-bucket/*"
]
}
]
}
I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1424859689000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.
What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.
Any suggestions would be appreciated!
I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vault-us"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
and
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).
If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*",
"arn:aws:s3:::vault-us"
]
If the both fail then chances are both your action and your resource is wrong.
Good Luck