On ElasticBeanstalk, under Logs section, when I access this tab I immediately get an error, An error occurred retrieving logs: Access Denied.
If I click on request latest 100 lines of log I get another error on EB events.
Failed retrieveEnvironmentInfo activity. Reason: Access Denied
On events log I get two errors:
ERROR Failed retrieveEnvironmentInfo activity. Reason: Access Denied
INFO [Instance: i-0aa53b9c5f88fe09b] Successfully finished tailing 36 log(s)
INFO Pulled logs for environment instances.
ERROR Service:Amazon S3, Message:Access Denied
My role policy atm allow me for these operations:
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudformation:*",
"cloudwatch:*",
"dynamodb:*",
"ec2:Describe*",
"ec2:Get*",
"ec2messages:Get*",
"elasticbeanstalk:*",
"iam:*",
"kms:ListAliases",
"lambda:Get*",
"lambda:List*",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:Get*",
"logs:List*",
"logs:ListTagsLogGroup",
"logs:TestMetricFilter",
"sdb:Get*",
"s3:Get*",
"s3:List*",
"ses:*",
"sns:*",
"sqs:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"cloudformation:DeleteStack",
"dynamodb:DeleteTable",
"elasticbeanstalk:DeleteEnvironment*",
"elasticbeanstalk:DeleteApplication",
"iam:Create*",
"iam:Delete*",
"iam:Remove*",
"s3:DeleteBucket",
"sqs:DeleteQueue"
],
"Resource": "*"
}
I also have my EB policy.
"autoscaling:Describe*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"cloudwatch:*",
"cloudformation:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"elasticbeanstalk:*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"health:Describe*",
"health:Get*",
"health:List*",
"lambda:UpdateFunctionCode",
"lambda:CreateAlias",
"logs:*",
"s3:Get*",
"s3:List*",
"s3:Head*",
"s3:Put*",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "*"
So, when you use ELB and try to see logs, does it use the user role policy or the service policy to check for permission? it seems pretty weird.
I was having a similar issue and was able to solve it by adding the following to my policy.
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::elasticbeanstalk-*"
}
Not quite sure all that is done in the elasticbeanstalk s3 bucket, but this covered it. Here's my full policy that allowed me to pull beanstalk logs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:List*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:Request*",
"elasticbeanstalk:Retrieve*",
"ec2:Describe*",
"ec2:Get*",
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*",
"autoscaling:Describe*",
"elasticloadbalancing:Describe*",
"s3:Head*",
"s3:List*",
"s3:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::elasticbeanstalk-*"
}
]
}
Using "s3:*" is too permissive. In addition to the other elastic beanstalk permissions, I found that these s3 permission were sufficient to be able to pull logs.
It not the minimum set of s3 permission that can be used but it's certainly more secure than "s3:*".
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:HeadBucket",
"s3:HeadObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
}
Related
I have a SFTP server setup in AWS Transfer Family tied to a S3 bucket and when the user tries uploading to it without IP restriction, it works. However, when IP restriction is added, we get a Permission denied error. (Some information has been deidentified for privacy reasons)
sftp> put file.pdf
Uploading file.pdf to /file.pdf
remote open("/file.pdf"): Permission denied
sftp>
Policy without IP restriction:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:us-east-1:XXXXX:key/XXXXX"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::data/*",
"arn:aws:s3:::data"
]
}
]
}
File upload successful. Cloudwatch logs without IP restriction:
2022-08-03T18:49:56.945-05:00 username.XXXX CONNECTED SourceIP=X.X.X.X User=username HomeDir=LOGICAL Client=SSH-2.0-OpenSSH_7.4 Role=arn:aws:iam::XXXX:role/TransferBucketRW Kex=ecdh-sha2-nistp256 Ciphers=chacha20-poly1305#openssh.com,chacha20-poly1305#openssh.com
2022-08-03T18:50:26.134-05:00 username.XXXX OPEN Path=/data/uploads/file.pdf Mode=CREATE|TRUNCATE|WRITE
2022-08-03T18:50:26.240-05:00 username.XXXX CLOSE Path=/data/uploads/file.pdf BytesIn=347971
Policy with IP restriction
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:us-east-1:XXXX:key/XXXX"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::data/*",
"arn:aws:s3:::data"
],
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"IpAddress": {
"aws:SourceIp": "X.X.X.X/32"
}
}
}
]
}
File upload failed. Cloudwatch Logs with IP restriction
2022-08-03T18:59:14.498-05:00 username.XXXX CONNECTED SourceIP=X.X.X>X User=username HomeDir=LOGICAL Client=SSH-2.0-OpenSSH_7.4 Role=arn:aws:iam::XXXXX:role/TransferBucketRW Kex=ecdh-sha2-nistp256 Ciphers=chacha20-poly1305#openssh.com,chacha20-poly1305#openssh.com
2022-08-03T18:59:39.323-05:00 username.XXXX ERROR Message="Access Denied" Operation=OPEN Path=/data/uploads/file.pdf Mode=CREATE|TRUNCATE|WRITE RequestID=P9S2XW6FNMAW9T4T S3ExtendedRequestID=Omk8mugElCEwQpv1zXQtflAk8kEnky2/LrsetgW03js4g64ZI2XCjp6i8zgQvDZBf+hAp8ZdLS0=
2022-08-03T18:59:39.323-05:00 username.XXXX ERROR Message="Access denied"
I can confirm that the IP in the policy matched the SourceIP seen in the Cloudwatch Logs. Wondering if I need add this IP restriction in the Trust Policy of the role in addition to this IAM policy.
We need to configure an IAM policy in Amazon Web Services to allow someone to use the CLI (command line interface) to download objects from certain folders/prefixed but not others. For example, if our bucket were called "companybucket", we have three folders/prefixes:
companybucket/apples
companybucket/oranges
companybucket/bananas
We need the external user to be able to download objects in the "apples" and "bananas" folders but not the oranges.
So far, we have created the following IAM policy to get started with the "apples"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetAccessPointPolicyStatus",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucketMultipartUploads",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::companybucket/apples",
"arn:aws:s3:::companybucket/apples/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}
Then, in the AWS console UI website, we have gone to IAM (Identify & Access Management) >> Users >> chosen the user in question >> permissions tab >> directly attached the policy to the user
Then, the user executes the following command in CLI:
aws s3 sync s3://companybucket/apples MYFILES
The following error appears: "An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied"
What are we doing wrong? Any help would be greatly appreciated, thanks.
The following approach has been successful for us to allow a AWS user set up in IAM the ability to download files/objects from some (but not all) folders in a bucket.
FIRST, set up the following policy in IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement01",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::companybucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"apples",
"bananas"
]
}
}
},
{
"Sid": "AllowStatement02",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::companybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"apples/*",
"bananas/*"
]
}
}
},
{
"Sid": "AllowStatement03",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companybucket/apples/*",
"arn:aws:s3:::companybucket/bananas/*"
]
}
]
}
SECOND, attach the newly created policy directly to the user in IAM.
THIRD, tell the user to set up a root-level local folder called MYFILES and then enter the following command in CLI (command line interface):
aws s3 sync s3://companybucket/apples MYFILES
I'm trying to add an IAM user for using sagemaker. I used the AmazonSageMakerFullAccess policy. But when I log in as this user I can see all of the s3 buckets of the root account and download files from them.
The sagemaker documentation states
When attaching the AmazonSageMakerFullAccess policy to a role, you must do one of the following to allow Amazon SageMaker to access your S3 bucket:
Include the string "SageMaker" or "sagemaker" in the name of the bucket where you store training data, or the model artifacts resulting from model training, or both.
Include the string "SageMaker" or "sagemaker" in the object name of the training data object(s).
Tag the S3 object with "sagemaker=true". The key and value are case sensitive. For more information, see Object Tagging in the Amazon Simple Storage Service Developer Guide.
Add a bucket policy that allows access for the execution role. For more information, see Using Bucket Policies and User Policies in the Amazon Simple Storage Service Developer Guide.
This seems to be inaccurate the user can access s3 buckets lacking sagemaker in the name. How do I limit the access?
the full policy is below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:RegisterScalableTarget",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/SageMaker": "true"
}
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
}
]
}
looks like the sagemaker notebook wizard has you create a role that has limited s3 access. If I add this and the default AmazonSageMakerFullAccess the user is properly restricted.
Im having difficulties to get logs to print anything when requests happens outside the tests. The tests does log correctly but not the real requests.
I've read that you need to add the correct permissions on IAM profile. This is how my profile looks now.
policies:
AWSLambdaFullAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:Publish",
"sqs:ListQueues",
"sqs:SendMessage",
"tag:GetResources",
"kms:ListAliases",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iot:GetTopicRule",
"iot:ListTopicRules",
"iot:CreateTopicRule",
"iot:ReplaceTopicRule",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:ListPolicies",
"iot:ListThings",
"iot:DescribeEndpoint",
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
}
]
}
AWSLambdaVPCAccessExecutionRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
Trust Relationships:
The identity provider(s) edgelambda.amazonaws.com
The identity provider(s) lambda.amazonaws.com
What am I missing? Why wont real requests to cloudfront log? I can see that the lambda function is working when I try to do fetch content from the cloudfront distribution.
Please attach below policy to the existing roles you have,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "YOUR_SID",
"Effect": "Allow",
"Action": ["cloudfront:*"],
"Resource": "*"
}
]
}
The Sid, or statement ID, is optional.
It would be worth to have a quick look on http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/access-control-managing-permissions.html
I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1424859689000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.
What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.
Any suggestions would be appreciated!
I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vault-us"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
and
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).
If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*",
"arn:aws:s3:::vault-us"
]
If the both fail then chances are both your action and your resource is wrong.
Good Luck