Is it possible to restrict AWS S3 objects such that only users who authenticate via AWS Cognito gain access to the object? I haven't figured out a way to do this, but it seems obvious to me that this would be a use case.
I want to host a website via AWS S3 and restrict some objects (my pages) so that if a user were to go them directly they'd get a permission denied error. If the user was authenticated via AWS Cognito tho the object should be available.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny access to objects in the secured directory.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::domain.com/secured/*"
},
{
"Sid": "Only allowed authenticated users access to a specific bucket.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::x:role/Cognito_Domain_IdP_Auth_Role"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::domain.com/secured/*"
},
{
"Sid": "Read access for web hosting.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::domain.com/*"
}
]
}
You can pass a role to your users authenticated via cognito and then allow them certain actions.
Creating Roles for Role Mapping
It is important to add the appropriate trust policy for each role so that it can only be assumed by Amazon Cognito for authenticated users in your identity pool. Here is an example of such a trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
Granting Pass Role Permission
To allow an IAM user to set roles with permissions in excess of the user's existing permissions on an identity pool, you grant that user iam:PassRole permission to pass the role to the set-identity-pool-roles API.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/myS3WriteAccessRole"
]
}
]
}
More Info here:
https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
Yes, you can achieve that
But for that you can not achieve it directly configuring through the console
→First you need to create policy with limited access of Cognito and S3 bucket
→Create a role attaching them
→Assign them to your EC2 or Lambda
→Authenticate the user in your application using Cognito
→Using that you can have a signed URL for S3 object and retrieve them
This may help you
Related
I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket after that then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
now I am not sure what exactly I also enable or disable like public access or something
also, i don't know I have to give a policy to the bucket or access point
I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket
Use this policy to restrict all access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAll",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
Use this policy to restrict all access except for one IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptRole",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "IAM-ROLE-ARN"
}
}
},
{
"Sid": "AllowRole",
"Effect": "Allow",
"Principal": "IAM-ROLE-ARN",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
I am not sure if I am missing a step here or not.
I have an s3 bucket I need to be able to access from an AWS SDK PHP script I wrote running on my EC2. I created an IAM role to allow access.
IAM Allow_S3_Access_to_EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::myinbox"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myinbox/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::myinbox/*"
}
]
}
And my Trust Relationship for the IAM role is
Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I then attached that IAM role to my EC2 instance. From what I have read this is all I have to do, but I think I need to do more.
In my Bucket Policy I have the following to allow access from my SES to be able to create the email object.
S3 Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myinbox/*",
"Condition": {
"StringEquals": {
"aws:Referer": "************"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myinbox",
"arn:aws:s3:::myinbox/*"
]
}
]
}
My Bucket Policy has nothing in there for my EC2 or even my IAM role I have attached. Do I need to add something to my Bucket Policy as well? That is where I am confused.
What I am experiencing is when a new object is created and I try and access that object from my AWS SDK PHP I get a "403" Forbidden. If I make that object public in the S3 console I can then access it just fine. So even though I have set permissions for my EC2 to access my S3 unless I make the object public I can't access it.
I even tried using wget to the object on the actual server through the terminal and I still get the 403 unless I make the object public
When I run the IAM Policy Simulator on my role I get
Here is my PHP
PHP Script
require '../aws-ses/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
$bucketName = 'myinbox';
try {
// Instantiate the client.
$s3 = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => array('key'=>'*********************',
'secret'=>'*******************************************')
]);
} catch (Exception $e) {
// We use a die, so if this fails. It stops here. Typically this is a REST call so this would
// return a json object.
die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));
First, did you set up the trust relationship so that the EC2 service can assume that role?
Next, you don't associate IAM roles directly with EC2 instances; instead you need to use an Instance Profile. Did you set up an Instance Profile associated with that Role?
This document is a good start: https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html
1) I would make sure that you're ec2 is using the role to call the s3, use the command below to identify
aws sts get-caller-identity
2) I would revoke existing sessions to make sure the new session has refreshed the roles
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
3) use the S3 access analyzer to define the access resolving
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html
The bucket is configured to have public access disabled, but with the following bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1571348371588",
"Statement": [
{
"Sid": "Stmt1571348370292",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::932534461852:user/test-user"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test.test.com",
"arn:aws:s3:::test.test.com/*"
]
}
]
}
The IAM is also attached with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test.test.com"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
The bucket's public access setting is:
Block all public access
On
Block public access to buckets and objects granted through new access control lists (ACLs)
On
Block public access to buckets and objects granted through any access control lists (ACLs)
On
Block public access to buckets and objects granted through new public bucket policies
On
Block public and cross-account access to buckets and objects through any public bucket policies
On
I have verified that the cli and the sdk are using the same access key and secret key, and I can use console and cli to upload files without problem, but when I try with node.js's aws-sdk: 2.551.0, I got access denied error.
Where can go wrong?
The problem is likely to be that your Node.js client is using the wrong credentials, is targeting the wrong bucket, or is invoking an action not allowed in the IAM policy. You haven't provided any code so we can't validate the latter.
Also, you don't need to allow the IAM user in an S3 bucket policy if the IAM user's policy allows the necessary S3 actions/resources, so you can remove the bucket policy.
Is it possible to create user roles with low, medium and high permission? So that, we could grant permissions like read, write, full control to each user role.
Once we set up those log ins we would like to determine which folders belong where. Please let me know.
Amazon S3 allows you to restrict access permissions on bucket level. This can be achieved by creating different IAM users for different roles.
e.g.
You can create 3 IAM users.
low-permission
med-permission
high-permission
After you create these 3 users, you need to attach access policy to the bucket. This can be done via AWS-CLI or AWS S3 Console. You need to use ARN or the IAM users you created above in the access policy.
Sample access policy :
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::MyExampleBucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::MyExampleBucket/*"
},
]
}
yes, AWS gives you very fine control over access to resources, in case of S3 you for subfolders of buckets and of course control over what actions can be taken. Manage your users and policies in IAM: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html
Also read about S3 Bucket policies:
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
I am using go sdk to create a new role and assume it. Both are done with same IAM user.
The role trust relationship is as follows:
{
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "<an admin user>" },
"Action": [ "sts:AssumeRole" ]
}]
}
Later when trying to add object to a bucket, I can create a session token,
but the PutObject operations fails with AccessDenied.
The bucket policy is:
{
"Effect": "Allow",
"Action":"s3:*",
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}
If the role you are assuming does not grant access to the S3 bucket via the role policies, you'll need to add the role as a principal to the bucket policy.
There's a handy tool here; https://awspolicygen.s3.amazonaws.com/policygen.html that helps with generating bucket policies. But it should end up looking like:
{
"Effect": "Allow",
"Action":"s3:*",
"Principal": {
"AWS": ["arn:aws:iam::<accountid>:role/<name of assumed role>"]
},
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}