I always get confused in two but I wanted to add a IAM policy on S3 bucket.
Basically I have created an output bucket for Amazon transcriptions but it seems I need to add IAM role to allow Transcription job to write to the bucket. I think if I can attach AmazonTranscribeFullAccess to S3 bucket, it will work but I am unable to attach this policy. Could you please advise how can I add this policy on the new bucket?
There are a few concepts you will want to dig deeper into to understand the difference between IAM policies and S3 bucket policies. A detailed guide is: https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html
You can attach IAM policies to Users, Groups and Roles, and you can attach bucket policies to S3 buckets.
Try adding S3 access to the user/role that you are using to run the transcribe job.
Related
Requirement: Create SakeMaker GroundTruth labeling job with input/output location pointing to S3 bucket in another AWS account
High Level Steps Followed: Lets say, Account_A: SageMaker GroundTruth labeling job and Account_B: S3 bucket
Create role AmazonSageMaker-ExecutionRole in Account_A with 3 policies attached:
AmazonSageMakerFullAccess
Account_B_S3_AccessPolicy: Policy with necessary S3 permissions to access S3 bucket in Account_B
AssumeRolePolicy: Assume role policy for arn:aws:iam::Account_B:role/Cross-Account-S3-Access-Role
Create role Cross-Account-S3-Access-Role in Account_B with 1 policy and 1 trust relationship attached:
S3_AccessPolicy: Policy with necessary S3 permissions to access S3 bucket in the this Account_B
TrustRelationship: For principal arn:aws:iam::Account_A:role/AmazonSageMaker-ExecutionRole
Error: While trying to create SakeMaker GroundTruth labeling job with IAM role as AmazonSageMaker-ExecutionRole, it throws error AccessDenied: Access Denied - The S3 bucket 'Account_B_S3_bucket_name' you entered in Input dataset location cannot be reached. Either the bucket does not exist, or you do not have permission to access it. If the bucket does not exist, update Input dataset location with a new S3 URI. If the bucket exists, give the IAM entity you are using to create this labeling job permission to read and write to this S3 bucket, and try your request again.
In your high level step 2, the approach should change to using a Resource Policy on your S3 bucket that allows account A to write to it. Rather than expecting Account A to assume a role in Account B, which I don't believe Sagemeker will do. Therefore the general approach is to do the following:
Account A Sagemaker service is given has a iam policy with a that allows access to Account B bucket. (Basically what you've done).
Account B bucket is given a resource policy that allows Account A to access it.
The following article gives additional help on this topic: How can I provide cross-account access to objects that are in Amazon S3 buckets?
Reverted back to original approach where access to the SageMaker execution role was provided through direct S3 bucket policy.
While creating the GT job from console:
(i) Expects the user creating the job also to have access to the data in cross account S3 bucket; Updated bucket policy to have access for both SageMaker execution role as well as user
(ii) Expects the manifest in own account's S3 bucket; Fails with 403 if manifest is in cross account S3 bucket even though SageMaker execution role had access to the cross account S3 bucket
While creating the GT job from CLI: Above restrictions doesn't apply and was able to create the GT job.
I have an S3 bucket, and I want to know which AWS resources have permission to access it (security audit). There is nothing in the bucket policy itself - permissions are defined using IAM policies on the resources.
I have a LOT of different components on this project. Is there a way to find all the resources that have permissions for this bucket? Or do I have to check the IAM policies on every single resource in the account?
I keep seeing posts that refer to setting a policy and while they mention S3 buckets the policy they are often referring to are IAM policies.
In my case I want to control access to my S3 bucket only by an actual "S3 bucket policy".
My current path is :::mybucket, which has /thing1/ and /thing2/
If I wanted a bucket policy that allows a CLI user the ability to list and get /thing1/* but not /thing2/* how would this be done? I've tried my policy with all kinds of conditions, paths etc but nothing seems to work...
I have been reading a number of docs and watched number of videos, but I am still very confused about IAM Roles and Bucket policies. Here is what confuses me:
1) I create a bucket. At that time I can make it public or keep it private. If I make it public, then anyone, or any Application, can "see" the objects in the bucket. I think the permissions can be set to add/delete/get/list objects in the bucket. If this is the case, then why do I ever need to add any IAM Role for S3 buckets, or, add any Bucket policy (???)
2) At the time I create a bucket, can I give very specific permissions to only certain users/applications/EC2 instances etc to all or part of the bucket? e.g. App1 on EC2-X can access subfolder A in bucket B1.
3) Coming to IAM Roles, an EC2 role that gives full S3 access- what does it mean? Full access to any bucket? How can I restrict an app running on an EC2 to only certain buckets, with only certain restricted permissions (see #2) above)? Do all Apps on the EC2 have full access to all buckets? At the time of creating a bucket, can the permissions be so set that an IAM Role can be overruled?
4) Finally, what do Bucket Policies do in addition to the above IAM Roles? e.g is 'AllowS3FullAccess' a "Bucket Policy", or an "IAM Policy"? Why differentiate between types of policies- policies are just that- they define some permissions/rules on some objects/resources,as I see it.
Thanks for any clarifications.
- a newcomer to AWS
I think you are confusing permissions for resources with IAM entities.
i) There are resources (S3 bucket, EC2 instances etc.) owned by the AWS account and these resources can be accessed by IAM users, IAM roles or other AWS Services (can be from same or different account)
ii) We manage who can access and their permission level with policies
iii) Policies can be identity based (attached to IAM user/group/role) or resource based (attached to S3 bucket, SNS topic)
iv) Resource based policy will have a Principal element but the identity based policies will not have that (because the attached IAM entity is the Principal)
v) Permissions start from default deny, allow overrides the default deny and an explicit deny overrides any allow
vi) Final access will be determined by combination of all policies
To answer your questions:
1> We cannot add (or attach) an IAM role with an S3 bucket. If you want your bucket should be public (which is not recommended but need to do it till some extent if it's in use for static website), then you can keep it public
2> It is not possible while creating the bucket. You have to do it after creating the bucket via IAM and/or S3 bucket policy
3> If an IAM role has AmazonS3FullAccess, the role can (Effect:Allow) call any S3 API (s3:) for any S3 resource (Resource:) in your account (provided they don't have cross account access).
If multiple applications run on an instance with an IAM role attached and are using credentials provided by the role, their permission will be same.
4> I don't know where you got the reference AllowS3FullAccess but we cannot confirm unless we know the exact JSON. If it is attached to a bucket or has the Principal element, it is a bucket policy.
You can use IAM and Bucket policies based on your need. Usually bucket policies are used for cross account access or if you want to manage S3 permission policies in a single place.
The goal
I have a few users I created from IAM > Users. I want these users, and only these users, to access my files in my s3 bucket.
The problem
I thought I can add these users to a group. After I created a group in IAM > Groups I expect it to show in list of grantee when I'm changing permissions of a file in my bucket.
Problem is, it doesn't. That means somewhere along the way my understanding might be wrong. But then again in official AWS S3 documentation there is no information about this (I can hardly believe!).
Please help.
Currently AWS doesn't support IAM group or role as Principal for S3 buckets. I had the same requirement and from this discussion it is clear there is no support for group ARN or role ARN in bucket policy.
The format and use of the IAM policies was brought over to s3 for the
bucket policies but as you have seen group are not valid within s3
bucket policy. I can also let you know that roles are also not
available within the s3 bucket policies.