Still new to AWS. I'm trying to grant a user access to only S3 buckets that have a particular naming convention. I've got a basic policy like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowActionsForProjectbucket",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::bucket-*/*",
"arn:aws:s3:::bucket-*"
]
},
}
However I'm getting Access Denied errors when running.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
I'm confused I guess by the error message, as I assumed that the s3:* Action covered the ListBuckets, but perhaps it's something else.
Add below policy to your AWS IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html
Related
I have tried setting up a permissions policy granting ssm:GetParameter and ssm:GetParameters to a role, but I get that error that "ssm:GetParameter is not allowed for this role". The only way I've found to eliminate the error is to grant ssm:* however I'd like to keep my permissions to a minimum. What am I missing here?
failing permission (account_id obscured):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
working permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
Try using
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
If that does not help, allow "ssm:DescribeParameters".
I am trying to publish AWS VPC Flow Logs from account A to S3 bucket in another account B. I am able to do so but when i try to download the logs from account A, i am getting the error
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
My account A has IAM userA that i am using.
I am using the below command to download:
aws s3 cp s3://vpcflowlogscross/VPCLogs/{subscribe_account_id}/vpcflowlogs/{region_code}/2021/06/14/xyz.log.gz .
I have tried adding the region as well in the above command but no luck. Also while investigating this i came across documentation to add ListBucket permission which i already have.
My bucket policy in account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::vpcflowlogs-cross/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::vpcflowlogs-cross"
},
{
"Sid": "DownloadObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/userA"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vpcflowlogs-cross",
"arn:aws:s3:::vpcflowlogs-cross/*"
]
]
}
I am using the below IAM user policy in account A to download the objects that are in account B S3 bucket.
My IAM user policy in account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMAllowDownload",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vpcflowlogs-cross",
"arn:aws:s3:::vpcflowlogs-cross/*"
]
}
]
}
I have tried changing the bucket and IAM policy but still not luck. I understand that the log objects getting published to the account B are owned by it but i am using the s3 "getobject" permission in bucket policy for the account A Principal userA shouldn't this allow me to download the objects.
I am the owner of AWS AccountC and need List and Get Permissions to BucketName owned by another person/team.
The bucket policy created is attached below. Policy for AccountA and AccountB were already existing and I added the policy for AccountC as given below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessA",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root",
"arn:aws:iam::AccountA:user/ABC-Prod"
]
},
"Action": [
"s3:GetObject",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::BucketName/*",
"arn:aws:s3:::BucketName"
]
},
{
"Sid": "AccessB",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountB:user/service-user",
"arn:aws:iam::AccountB:role/BatchUserRole"
]
},
"Action": "*",
"Resource": [
"arn:aws:s3:::BucketName/*",
"arn:aws:s3:::BucketName"
]
},
{
"Sid": "AccessC",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountC:root"
},
"Action": "s3:List*",
"Resource": "arn:aws:s3:::BucketName"
},
{
"Sid": "AccessD",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountC:root"
},
"Action": "s3:Get*",
"Resource": "arn:aws:s3:::BucketName/*"
}
]
}
I am able to list contents of BucketName using
aws s3 ls BucketName.
However, when I try
aws s3 cp --recursive BucketName/folderName/ ., it gives me an Access Denied error
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Block public access is enabled on the bucket, however I believe it should not affect since the Bucket policy is added
Tried multiple way to write the policy but the error persists. Can someone please help me understand what I might be missing here? Would be really grateful
I have a lambda function using a role with the following policy excerpt
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::ipwl-lambda-config/*",
"arn:aws:s3:::ipwl-lambda-config"
]
}
My bucket policy looks like the following
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::ipwl-lambda-config/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "AllowLambda",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountid:role/iam_for_lambda"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::ipwl-lambda-config/*",
"arn:aws:s3:::ipwl-lambda-config"
]
}
]
}
I've allowed GetObject and ListBucket on both the role and the bucket policy. However when my function runs
s3_obj = s3_res.Object(s3_bucket, s3_object)
I get
[ERROR] ClientError: An error occurred (AccessDenied) when calling the
GetObject operation: Access Denied
What more permissions do I have to add? The object is there, I can get it when I run the code locally using an admin role.
Update
I've checked to make sure the bucket and object names are correct dozens of times. The exception is actually coming from the second line here according to the stacktrace
s3_res = boto3.resource('s3')
s3_obj = s3_res.Object(s3_bucket, s3_object)
data = s3_obj.get()['Body'].read()
KMS should only be a factor for PutObject. We have a support account so I may check with them and update with their findings.
To download a KMS-encrypted object from S3, you not only need to be able to get the object. You also need to be able to decrypt the AWS KMS key.
Here's an example of an IAM policy that your Lambda function should have:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3get",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ipwl-lambda-config/*"
},
{
"Sid": "kmsdecrypt",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:example-region-1:123456789012:key/example-key-id"
}
]
}
The key policy also needs to allow the IAM role to decrypt the key, something like this:
{
"Sid": "kmsdecrypt",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/xyz"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
I want to create an IAM user whose sole job is to deploy to AWS S3 Static Website.
I have this policy given to my DeployUser:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::www.<my-site-name>.com/*"
}
]
}
And this is the issue I get when I deploy (I am using Github Actions for this):
upload failed: public/404.html to s3://www.<my-site-name>.com/404.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
In Github, I passed the access key and secret of the user to my Action. I am pretty sure it is using that user to do the transaction. When I give S3FullAccess, my user is able to do it just fine. But I want to create a user with the AWS actions it only needs.
Where can I see better logs of this IAM user's actions?
Based on the comments, the solution was to add PutObject in the backed policy for the DeployUser.