What is Wrong With My AWS Policy? - amazon-web-services

I am trying to give a programmatic IAM user access to a single bucket.
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Trying to programatically upload a file I got a 403.
I got this policy from here:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
There are no other policies attached to this user.

Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.
You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.

You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

Related

AWS S3 Error 'Policy has invalid resource'

I was moving S3 bucket from source bucket to destination bucket.
below is reference to do the work.
https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/?nc1=h_ls
but I've got error while making policy. error message is Policy has invalid resource
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>",
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>/*"
]
}
]
}
I had changed policy for test and It worked. difference is as follows.
arn:aws:s3:::<SOURCE_BUCKET_NAME> > arn:aws:s3:::<DESTINATION_BUCKET_NAME>
I don't know why It doesn't work if I fill out my SOURCE_BUCKET_NAME.
I swear source bucket name is not wrong. you might think that question is like a fool and I also assume It'll be nothing but I couldn't find any point. Please give me a hand if you know the answer. thanks for reading :)
+ be added
bucket policy that I attached to the source bucket.
replaced principal is ARN of the IAM identity in target(destination) account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:user/ws.kim"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>"
]
}
]
}
The reason is that this is invalid bucket policy. Instead it should be managed IAM policy that you create and attach to IAM role or user.
Please check the How can I copy S3 objects from another AWS account? article again and you will be able to properly setup this policy.

Error connecting to AWS Transfer (SFTP service) via Filezilla [duplicate]

I am having trouble connecting to AWS Transfer for SFTP. I successfully set up a server and tried to connect using WinSCP.
I set up an IAM role with trust relationships like follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I paired this with a scope down policy as described in the documentation using a home directory homebucket and home directory homedir
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListHomeDir",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::${transfer:HomeBucket}"
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
I was able to authenticate using an ssh key, but when it came to actually reading/writing files I just kept getting opaque errors like "Error looking up homedir" and failed "readdir". This all smells very much like problems with my IAM policy but I haven't been able to figure it out.
We had similar issues getting the scope down policy to work with our users on AWS Transfer. The solution that worked for us, was creating two different kinds of policies.
Policy to attach to the role which has general rights on the whole bucket.
Scope down policy to apply to the user which makes use of the transfer service variables like {transfer:UserName}.
We concluded that maybe only the extra attached policy is able to resolve the transfer service variables. We are not sure if this is correct and if this is the best solution, because this opens the possible risk when forgiving to attach the scope down policy to create a kind of "admin" user. So I'd be glad to get input to further lock this down a little bit.
Here is how it looks in my console when looking at the transfer user details:
Here are our two policies we use:
General policy to attach to IAM role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3::: my-s3-bucket/*"
}
]
}
Scope down policy to apply to transfer user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
I had a similar problem but with a different error behavior. I managed to log in successfully, but then the connection was almost immediately closed.
I did the following things:
Make sure that the IAM role that allows bucket access also contains KMS access if your bucket is encrypted.
Make sure that the trust relationship is also part of that role.
Make sure that the server itself has a Cloudwatch role also with a trust relationship to transfer.amazonaws.com! This was the solution for me. I don't get why this is needed but without the trust relationship in the Cloudwatch role, my connection get's closed.
I hope that helps.
Edit: Added a picture for the settings of the CloudWatch role:
The bucket policy for the IAM user role can look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<your bucket>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your bucket>/*"
]
}
]
}
Finally, also add a Trust Relationship as shown above for the user IAM role.
If you can connect to your sftp but then get a readdir error when trying to list contents, e.g. with the command "ls", then that's a sign that you have no bucket permission. If your connection get's closed right away it seems to be a Trust Relationship issue or a KMS issue.
According to the somewhat cryptic documentation #limfinity was correct. To scope down access you need a general Role/Policy combination granting access to see the bucket. This role gets applied to the SFTP user you create. In addition you need a custom policy which grants CRUD rights only to the user's bucket. The custom policy is also applied to the SFTP user.
From page 24 of this doc... https://docs.aws.amazon.com/transfer/latest/userguide/sftp.ug.pdf#page=28&zoom=100,0,776
To create a scope-down policy, use the following policy variables in your IAM policy:
AWS Transfer for SFTP User Guide
Creating a Scope-Down Policy
• ${transfer:HomeBucket}
• ${transfer:HomeDirectory}
• ${transfer:HomeFolder}
• ${transfer:UserName}
Note
You can't use the variables listed preceding as policy variables in an IAM role definition. You create these variables in an IAM policy and supply them directly when setting up your user. Also, you can't use the ${aws:Username}variable in this scope-down policy. This variable refers to an IAM user name and not the user name required by AWS SFTP.
Can't comment, sorry if I'm posting incorrectly.
Careful with AWS's default policy!
This solution did work for me in that I was able to use scope-down policies for SFTP users as expected. However, there's a catch:
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
This section of the policy will enable SFTP users using this policy to change directory to root and list all of your account's buckets. They won't have access to read or write, but they can discover stuff which is probably unnecessary. I can confirm that changing the above to:
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "${transfer:HomeBucket}"
},
... appears to prevent SFTP users from listing buckets. However, they can still cd to directories if they happen to know buckets that exist -- again they dont' have read/write but this is still unnecessary access. I'm probably missing something to prevent this in my policy.
Proper jailing appears to be a backlog topic: https://forums.aws.amazon.com/thread.jspa?threadID=297509&tstart=0
We were using the updated version of SFTP with Username and Password and had to spend quite some time to figure out all details. For the new version, the Scope down policy needs to be specified as 'Policy' key within Secrets Manager. This is very important for the whole flow to work.
We have documented the full setup on our site here - https://coderise.io/sftp-on-aws-with-username-and-password/
Hope that helps!

AWS S3 permissions

I have created a bucket name "A" with following permissions:
1. Grantee: B List Update/delete
2. Grantee: Everyone List view/download
From IOS(front-end), they are uploading a video to this Bucket.After uploaded only the 1st permission is applied, second is not, So we nobody can download that video from S3.
Please share your ideas. Thanks in advance.
I can't see any view/download option in the S3 Permissions pane.
As a general rule, AWS recommends using S3 bucket policies or IAM
policies for access control. S3 ACLs is a legacy access control
mechanism that predates IAM.
AWS Security Blog
If you wish to use a bucket policy instead, you can do the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1420667647000",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
},
{
"Sid": "Stmt1420667680000",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-number-without-hyphens:user/username"
},
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}

Amazon Web Service S3 Access Denied with seemingly good IAM policy

The following AWS Policy is meant to be bound to an IAM group and then added to users. This will grant every user in the group access to their own folder on Amazon S3.
Now the problem is that with this Policy users still get Access denied in their own folder, they can not list the buckets or perform any other operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/home/${aws:username}",
"arn:aws:s3:::bucketname/home/${aws:username}/*"
]
}
]
}
What I eventually would like is that the user is able to put and get files from their own folder, but not see any of the other folders or buckets, but that doesn't seem possible with this policy.
Ideas?
Apparantly it takes up to a few minutes for the policy to apply, policy validates fine now.

S3 security policy seems to have no effect

I am trying to use S3 as maven repo. I created 2 IAM users for write and read, and used the Policy Generator to create the following bucket policy, which I added to the bucket.
{
"Id": "Policy1442851625435",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442851437396",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven/*",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-write"
]
}
},
{
"Sid": "Stmt1442851517972",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven/*",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-read"
]
}
},
{
"Sid": "Stmt1442851587864",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::closeup-maven",
"Principal": {
"AWS": [
"arn:aws:iam::642063966117:user/maven-write",
"arn:aws:iam::642063966117:user/maven-read"
]
}
}
]
}
[anonymized]
When I run the Policy Simulator, I get denied for both users.
When I go to the bucket and set Everyone-access for everything, I still get denied in the Policy Simulator, when I am testing with these two users.
What am I missing?
I noticed a disclaimer in the IAM Policy Simulator that says it does not take into account policies attached to resources, like your bucket policy. Maybe if you had the policy attached separately to the IAM users, the simulator would evaluate them.
This action belongs to a service that supports access control mechanisms attached to resources.The policy simulator does not model these mechanisms, so results may differ in your production environment.