My buckets folders are private, but when I copy the URL of an individual object into a browser (when I'm logged out), I can still download/view the file.
How can I prevent this?
Here's my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::my-bucket/backup/*"
}
]
}
What I am trying to achieve: make every folder private except for 2 folders called media and static (which I want public read access for).
In your policy your are specifically telling it allow anonymous public GET Access.
You have to change it to something like below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_A",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_B",
"arn:aws:iam::ACCOUNT_ID:user/USERNAME_C",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_A",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_B",
"arn:aws:iam::ACCOUNT_ID:role/ROLE_C"
]
},
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Refer more policy examples here.
I think you are looking for something like this.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllS3ActionsInOtherFolders",
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition":{"StringLike":{"s3:prefix":
[
"backup/media/*"
"backup/static/*"
]
}
}
}
]
}
Please refer this Grant Access to User-Specific Folders in an Amazon S3 Bucket for more details.
This policy grants public GetObject access to the two folders.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadAccess",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::jr-enc/media/*",
"arn:aws:s3:::jr-enc/static/*"
],
"Principal": "*"
}
]
}
Note that GetObject only grants access to access/download an object. It does not give permission to list the contents of the bucket/folders.
Related
As a plan to deprecate s3 objects, I am revoking all access apart from mine. I tried 2 ways but I see I am not able to see the bucket policy.
Error message from console:
You don’t have permission to get bucket policy
You or your AWS administrator must update your IAM permissions to allow s3:GetBucketPolicy. After you obtain the necessary permission, refresh the page. Learn more about Identity and access management in Amazon S3
First:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ck",
"arn:aws:s3:::k/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA"
]
}
}
}
]
}
Second:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::0220:user/an"
]
},
"Resource": [
"arn:aws:s3:::tes",
"arn:aws:s3:::tes/*"
]
}
],
"Version": "2012-10-17"
}
I have a public S3 bucket which has 2 folders inside it, public-folder and private-folder
I want everyone to access the public-folder and I want only user1 to access private-folder programmatically.
Inside the S3 bucket, I have added the following policy:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn-of-user1"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
from the IAM, I have created a policy for user1 to be able to access the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Is there a better way to achieve this goal? Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?
Wouldn't the following be easier and more natural to do if you have public-folder and private-folder. The following is based on the fact that buckets and its objects are private by default.
Bucket policy
It allows public access to public-folder:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/public-folder/*"
}
]
}
User policy
It allows putting, getting and deleting objects in private-folder, as well as listing the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
Would be possible to deny everyone to access the private-folder using S3 policy and then override that using IAM policy that I have defined for user1?
Explicit deny overwrites any allow. Thus if you deny access to everyone, you can't use any IAM policy to allow access.
I have an S3 Bucket that i want to restrict its access to only some specific users. I created a test account IAM : "test.access" and i put this policy on my bucket :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeOnlySpecifiedUsers",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxx:user/test.access"
]
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
}
]
}
Now the problem is that the bucket is not accessible to anyone even the user test.access
What's going on with the policy ?
Thank you.
This policy should work (I haven't been able to test it yet). A couple things to note
Make sure to include yourself in the Deny NotPrincipal Policy
If you don't want your users having full access to the bucket list the actions they need int eh Allow part. Additional actions for yourself and other admins will be granted in the IAM User/Role polices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuthorizeOnlySpecifiedUsers",
"Effect": "Deny",
"Action": [
"s3:*"
],
"NotPrincipal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxx:user/test.access",
"arn:aws:iam::xxxxxxxxxx:user/yourself"
]
},
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
},
{
"Sid": "Allow",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::test-bucket-xxxxxx-dev",
"arn:aws:s3:::test-bucket-xxxxxx-dev/*"
]
}
]
}
I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.
Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html
I'm trying to copy contents of an S3 bucket to another bucket on another account, and I wanted to use the CLI to do this. So I set up a bucket policy on the source bucket, allowing a IAM user in the destination account to perform all S3 actions, but it keeps complaining that the ListObjects operation is denied.
I've tried Google, but I can't tell what would be the problem with my policy compared to the solutions I find. Even if I make the source bucket public (and can list it in a browser), it still gives me access denied.
What to do, what to do? Here's my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:user/USER"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::SOURCE",
"arn:aws:s3:::SOURCE/*"
]
}
]
}
Please try using below policy,
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "CrossAccountList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Sid": "CrossAccountS3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
You can read the full steps here
Another read here