Amazon S3 bucket policy for referer condition on specific folder - amazon-web-services

I want to use condition of StringLike aws:Referer for a particular folder and make rest of the folder publicly accessible.
Here is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucketName/folderName/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketName/folderName/users/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}
]
}
When I am using above policy, it is not working with first one.

Try with below policy:
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketName/folderName/users/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}

The first part of your policy is granting GetObject access for anything in the folderName path of your bucket. This includes folderName/users/*.
Therefore, the second part of your policy is not being used (since the first policy is already granting access to the folderName/users/* path.
You could solve it by using different buckets, or you could convert the second policy into a Deny with StringNotLike (effectively saying that access is denied to folderName/users/* if the referer is not example.com.
Frankly, your policy looks strange because it is granting access to the entire users path hierarchy, which probably isn't what you'd want it to do. (I'm assuming you'd want to grant access only to a particular user's data based upon who is accessing your application.)
Please note that referer is not secure — it is easy to fake this value in a browser and in web-scraping softare.

Related

S3 Policy Help - Full access for IAM user. Public read only access for single folder

I have an IAM user created with a policy for my bucket. With "public block access" enabled I can interact with the bucket as expected through this user.
Now I need to make a single public read-only folder using bucket policies, but I am not having any luck. I created the below policy which should
Disable all access to all principles
Enable all access for my IAM user
Enable read-only access to specific folders for all users.
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
I guess you cannot layer up access in this way, but I am unsure how to construct what I need. If I go with a single read policy to open up one folder, I still seem to be able to access all other folders publically too:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
I can access "/public" but can still access "/private" too.
I need a way first to lock down the entire bucket and then open up the folders I want to provide access for?
Your policy is failing because Deny always overrides an Allow.
The first statement in the policy will Deny access to the bucket for everyone (including you!).
Your second policy on arn:aws:s3:::bucket-name/public/* is the correct way to go. It will only grant anonymous access to that particular folder.
If you are able to access other folders, then either there are other policies that exist, or you are using "authenticated access" using your own AWS credentials. Make sure when you test it that you are putting a URL into a web browser that simply looks like: https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt

How can I allow everyone in my org to access an object uploaded by someone else?

I maintain an S3 bucket for my org that is not publicly accessible but is readable by everyone in the org. There's also a folder, sandbox, that everyone in the org can write to. I setup my S3 permissions as:
{
"Version": "2012-10-17",
"Id": "...",
"Statement": [
{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234:root"]
},
"Action": [
"s3:GetObject",
"s3:GetObjectTagging"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234:root"]
},
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-bucket/sandbox/*"
}
]
}
Here, 1234 is a user in my org; I have enumerated all my users here. The first Statement allows read-only access while the second gives write to only the sandbox directory. These both work, but I've found that when people in my org write to it, no one has access to read those files except the individual who wrote it.
I instructed users to copy files there using --acl bucket-owner-full-control; for example:
aws s3 cp --acl bucket-owner-full-control my_file.tsv s3://my-bucket/sandbox/
But this doesn't fix the permissions. What's the right way to make it so I effectively own all uploaded files, or at least so that everyone can read files that anyone else uploads?
This is probably unrelated, but I also tried including a condition for bucket owner:
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
I put this Condition as a sibling value to Action, Resource, etc., but when I try to save the permissions, I get the error:
Conditions do not apply to combination of actions and resources in statement
I'm sure that you asked this on the assumption that users from different AWS accounts uploading objects.
Reading the description of the bucket-owner-full-control Canned ACL in the following Controlling ownership of uploaded objects using S3 Object Ownership page, you can get that it's applicable when objects are uploaded.
Thus, create another Statement with only s3:PutObject and you can give it permission with its condition.
The policy would be as following:
{
"Version": "2012-10-17",
"Id": "...",
"Statement": [
{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234:root"]
},
"Action": [
"s3:GetObject",
"s3:GetObjectTagging"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234:root"]
},
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-bucket/sandbox/*"
},
{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1234:root"]
},
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/sandbox/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Take a look at this documentation as well.
For instance, Request syntax of GetObject cannot be applied with x-amz-acl, but putObject is applicable.
BTW, this answer above is about the issue relevant to condition, not allows all the users from different account.
So, you can grant permission to another AWS account.
How to provide cross-account access to objects that are in S3 buckets?
Bucket owner granting cross-account bucket permissions

Deny access to AWS S3 to all IPs except specific ranges

I hava an S3 Bucket ("myBucket"), to which only a user has access, let's call it "s3user". I have an IAM policy attached to this user as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myBucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": "*"
}
]
}
I attached this IAM Policy to user "s3User", granting read-only access to "myBucket". So far so good.
Now, I added a second policy, but now not an IAM policy but an S3 Bucket Policy, as follows:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
I expected that this explicit deny will deny all requests not coming from the specified source IP ranges. But, it is still letting me list the contents of the bucket from other IPs. It seems as if the bucket policy had no effect at all.
According to this AWS S3 article, when you have multiple policies, they are all applied and explicit denies have precedence over explicit allows, so I think this should be working, but it isn't.
Any ideas why I'm not able to deny requests to a bucket based on sourceIP addresses?
Thanks!
You should update your Deny policy to include operations that are performed on the bucket itself, rather than its content (/*):
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "DenyOutsideIPfromBucket",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": ["arn:aws:s3:::myBucket/*", "arn:aws:s3:::myBucket"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.4/27",
"2.3.4.1/28",
"5.6.7.8/29"
]
}
}
}
]
}
Of course, if the only users with access to the bucket are the ones with the IAM policy, you could simply add a IpAddress condition on the original IAM policy, so they can only use the bucket from the given set of IP addresses. This would avoid the need for a Deny policy.

AWS S3 Bucket policy public. How to make object private?

I've a bucket with GetObject available to everyone on full bucket(*). I want to make a few objects private(through Object level operation ACL), i.e. only the bucket owner should have read access to the object. I've gone through all available documentation, but couldn't find any possible way. Can anyone confirm is this possible or not?
You cannot use S3 Object ACLs because ACLs do not have a DENY.
You can modify your S3 policy to specify objects and deny access to individual items.
Example S3 Policy (notice that this policy forbids access to everyone for GetObject for two files):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
]
}
]
}
If you want to add a condition so that certain users can still access the objects, add a condition after the Resource section like this. This condition will allow IAM users john.wayne and bob.hope to still call GetObject.
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
],
"Condition": {
"StringNotEquals": {
"aws:username": [
"john.wayne",
"bob.hope"
]
}
}

Bucket policy apply to objects not owned by me? (public bucket?)

First, let me link you context:
https://stackoverflow.com/a/9285074/6347501
I'm trying to create a public bucket for some app I'm writing. I have a policy to allow PUT and GET on all items in the bucket. But, as you can see from the link above, the policy simply won't apply to any items Put into the bucket that don't give me ownership.
Is there any solution? Is it actually possible to create a truly public bucket?
Ideally every object in this bucket is accessible to everyone regardless of who uploaded it.
Heres a working policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
It denies any objects that don't use the canned ACL "bucket-owner-full-access," which are also objects that would ignore our open GetObject policy.