Since Lightsail instances are hosted from a dedicated AWS account different from the user's account, what would be a good S3 bucket policy to restrict bucket/object actions for a specific Lightsail instance? Specifically, I would like to grant only s3:PutObject and s3:ListBucket actions to the instance.
Or, is there another, better solution for granting access than the bucket policy?
Since Lightsail is managed outside, you can create a IAM User (Not IAM Role) and attach IAM Policy to it in the AWS account where the private S3 bucket resides.
Then use the AWS IAM User's programmatic access cresentials from you Lightsail instance to access S3.
Related
I have running app on auto-scaled ec2 env. of account1 created via AWS CDK (it also should have support to be run on multiple regions). During the app execution I need to get object from account2's s3.
One of the ways to get s3 data is use tmp credentials(via sts assume role):
on account1 side create a policy for ec2 instance role to assume sts tmp credentials for s3 object
on account2 side create a policy GetObject access to the s3 object
on account2 site create role and attach point2's policy to it + trust relationship to account1's ec2 role
Pros: no user credentials are required to get access to the data
Cons: after each env update requires manual permission configuration
Another way is to create a user in account2 with permission to get s3 object and put the credentials on account1 side.
Pros: after each env update doesn't require manual permission configuration
Cons: Exposes IAM user's credentials
Is there a better option to eliminate manual permission config and explicit IAM user credentials sharing?
You can add a Bucket Policy on the Amazon S3 bucket in Account 2 that permits access by the IAM Role used by the Amazon EC2 instance in Account 1.
That way, the EC2 instance(s) can access the bucket just like it is in the same Account, without have to assume any roles or users.
Simply set the Principal to be the ARN of the IAM Role used by the EC2 instances.
I saw the official documentation https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ which says to create role in both account and attach!
I had another solution which is create an IAM user in account B and grant it only S3 bucket permissions and config the EC2 Instance in Account B with that user. So if i do that will it work? and can the EC2 instance still access the S3 from the its account?
It appears that your situation is:
Amazon EC2 instance in Account A
Amazon S3 bucket in Account A (Bucket-A)
Amazon S3 bucket in Account B (Bucket-B)
You would like the EC2 instance to be able to access both buckets
You should do the following:
Create an IAM Role (Role-A) for the Amazon EC2 instance with:
Permission to access Bucket-A, and
Permission to access Bucket-B
Add a Bucket policy to Bucket-B that permits access to the bucket from Role-A (This will grant "cross-account access")
That's it! The instance will be able to access Bucket-A due to permissions in the IAM Role, and it will be able to access Bucket-B due to permissions in both the IAM Role and the Bucket Policy.
here is the scenario.
AWS accountA has an S3 bucket.
AWS acountB has cognito user pool and cognito identity set up.
Also accountB is running a amplify app (so there is a fixed origin url)
I want to allow logged users from accountB to put/get objects from bucket in AccountA.
How do I configure the bucket to allow that?
How do I configure the identity pool?
This is simple, the bucket would need to be updated to include a bucket policy that grants access to the role that the group in the identity pool uses.
Once this is done you would need to update the policy on the IAM role to grant access to the bucket referencing the actions and resources as if they're in your account.
Take a look at the How can I provide cross-account access to objects that are in Amazon S3 buckets? article to get in depth instructions for enabling cross account support for the S3 bucket.
I have been reading a number of docs and watched number of videos, but I am still very confused about IAM Roles and Bucket policies. Here is what confuses me:
1) I create a bucket. At that time I can make it public or keep it private. If I make it public, then anyone, or any Application, can "see" the objects in the bucket. I think the permissions can be set to add/delete/get/list objects in the bucket. If this is the case, then why do I ever need to add any IAM Role for S3 buckets, or, add any Bucket policy (???)
2) At the time I create a bucket, can I give very specific permissions to only certain users/applications/EC2 instances etc to all or part of the bucket? e.g. App1 on EC2-X can access subfolder A in bucket B1.
3) Coming to IAM Roles, an EC2 role that gives full S3 access- what does it mean? Full access to any bucket? How can I restrict an app running on an EC2 to only certain buckets, with only certain restricted permissions (see #2) above)? Do all Apps on the EC2 have full access to all buckets? At the time of creating a bucket, can the permissions be so set that an IAM Role can be overruled?
4) Finally, what do Bucket Policies do in addition to the above IAM Roles? e.g is 'AllowS3FullAccess' a "Bucket Policy", or an "IAM Policy"? Why differentiate between types of policies- policies are just that- they define some permissions/rules on some objects/resources,as I see it.
Thanks for any clarifications.
- a newcomer to AWS
I think you are confusing permissions for resources with IAM entities.
i) There are resources (S3 bucket, EC2 instances etc.) owned by the AWS account and these resources can be accessed by IAM users, IAM roles or other AWS Services (can be from same or different account)
ii) We manage who can access and their permission level with policies
iii) Policies can be identity based (attached to IAM user/group/role) or resource based (attached to S3 bucket, SNS topic)
iv) Resource based policy will have a Principal element but the identity based policies will not have that (because the attached IAM entity is the Principal)
v) Permissions start from default deny, allow overrides the default deny and an explicit deny overrides any allow
vi) Final access will be determined by combination of all policies
To answer your questions:
1> We cannot add (or attach) an IAM role with an S3 bucket. If you want your bucket should be public (which is not recommended but need to do it till some extent if it's in use for static website), then you can keep it public
2> It is not possible while creating the bucket. You have to do it after creating the bucket via IAM and/or S3 bucket policy
3> If an IAM role has AmazonS3FullAccess, the role can (Effect:Allow) call any S3 API (s3:) for any S3 resource (Resource:) in your account (provided they don't have cross account access).
If multiple applications run on an instance with an IAM role attached and are using credentials provided by the role, their permission will be same.
4> I don't know where you got the reference AllowS3FullAccess but we cannot confirm unless we know the exact JSON. If it is attached to a bucket or has the Principal element, it is a bucket policy.
You can use IAM and Bucket policies based on your need. Usually bucket policies are used for cross account access or if you want to manage S3 permission policies in a single place.
Everywhere I can see IAM Role is created on EC2 instance and given Roles like S3FullAccess.
Is it possible to create IAM Role on S3 instead of EC2? And attach that Role to S3 bucket?
I created IAM Role on S3 with S3FULLACCESS. Not able to attach that to the existing bucket or create a new bucket with this Role. Please help
IAM (Identity and Access Management) Roles are a way of assigning permissions to applications, services, EC2 instances, etc.
Examples:
When a Role is assigned to an EC2 instance, credentials are passed to software running on the instance so that they can call AWS services.
When a Role is assigned to an Amazon Redshift cluster, it can use the permissions within the Role to access data stored in Amazon S3 buckets.
When a Role is assigned to an AWS Lambda function, it gives the function permission to call other AWS services such as S3, DynamoDB or Kinesis.
In all these cases, something is using the credentials to call AWS APIs.
Amazon S3 never requires credentials to call an AWS API. While it can call other services for Event Notifications, the permissions are actually put on the receiving service rather than S3 as the requesting service.
Thus, there is never any need to attach a Role to an Amazon S3 bucket.
Roles do not apply to S3 as it does with EC2.
Assuming #Sunil is asking if we can restrict access to data in S3.
In that case, we can either Set S3 ACL on the buckets or the object in it OR Set S3 bucket policies.