I have made an explicit deny policy for all users on s3 bucket, so now not able to change the policy.
Can root user delete that policy ?
Root user have always an access to change the policies if anything goes wrong ?
Correct. The AWS root user has all permissions on the account. Login as that user and reset or delete the incorrect policy.
Related
According to the Documentation: Granting permissions to multiple accounts with added conditions it is possible to create with the entry:
Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}
just access for all the users inside this account. But unfortunately it is not working. When putting single users there the access for that User from that different account is working. But with all and the root option is does not work.
But with all and the root option is does not work.
This is because the admins of these accounts also have to add permissions to IAM users/roles to access the bucket. In other words, adding arn:aws:iam::111122223333:root to a bucket policy is not enough. The individual IAM users or roles from 111122223333 also need IAM permissions to access the bucket.
I am new to AWS and trying to understand IAM. I have a doubt which goes like this. for example there is a s3 bucket in account A and in it's resource policy another AWS account B (root user) is given permission for a certain set of actions. Now there are certain roles which are also present in account B. so if someone assumes those roles, will they also have access to that s3 bucket in account A or the Arn of that role needs to be explicitly mentioned in the resource policy of bucket even though it's root account already has access to it ?
When you want to provide access cross-accounts, that is - access to a resource in one account to a principal (in this example, a role) from another account - granting the access on the resource policy is not enough - and you also have to give access to that principal in a IAM policy in its account. When you place the root user of an account in a resource based policy - that indicates that access may be granted to any principal within that account (using a IAM policy on that account)
So, to answer your question - if the root user of account B is a principal to which access is granted in the bucket policy - you don’t have to indicate the ARN of any specific role - However, you do need to assign access to the role in a IAM policy in account B so assuming it would grant access to the bucket (I’m assuming there’s no mechanism denying the access of course)
When a user assumes a role, the user temporarily gives up his or her original permissions in exchange for those granted by the role. So to answer your question, in order for the bucket to be accessible to the role assumed by the root account (or any principle really), the ARN of the role needs to be explicitly mentioned in the bucket policy.
I have created a new S3 bucket and I am following the below tutorial to host a static website. https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html#step3-edit-block-public-access
However when it comes to setting the bucket policy, it states that the root user has no access to manage bucket policy. If I follow the links and traverse to the IAM console, there are no other users but me the root user. How can the root user grant himself the bucket permissions?
It wont allow setting a bucket policy if you have not cleared the Block All Public Access button. I had not cleared that and it was resulting in this invalid permissions error.
I have an IAM user and i have given S3 full access to specific user, also i am giving some access permissions in S3 bucket separately, i want to know which one will execute first.
either it will give full access to my user according to IAM or it will work according to the S3 permission
It will use both of the permissions.
First, any Deny permissions will be evaluated (on the IAM User, any IAM Group they belong to, and in the Bucket Policy). If the request matches a Deny policy, then the request is denied.
Next, all Allow permissions are evaluated. If the request matches an Allow policy, then the request is allowed.
So, in the absence of any Deny policies, a request will be permitted as long as any permission grants the access.
I was trying few things with aws s3 bucket policy and the documentation for put-bucket-policy says that the user should have PutBucketPolicy on the bucket and should be the owner.
I do not understand the use of PutBucketPolicy permission then.
Also is the bucket owner given a default PutBucketPolicy permission on his bucket?
http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTpolicy.html
The confusion here, I suspect, is related to the fact that users don't own buckets. The "owner" of a bucket is an individual AWS account.
You can't successfully grant PutBucketPolicy to any user in a different AWS account -- only your own account's user(s).
There's an illusion of circular logic here: How can I set a bucket policy... allowing myself to set the bucket policy... unless I am already able to set the bucket policy... which would make it unnecessary to set a bucket policy allowing me to set the bucket policy?
This is not as it seems: the problem is resolved by the fact that IAM user policies can grant a user permission to set the bucket policy, and the root account can do this by default -- which is why you should not use your root account credentials routinely: they are too privileged, if they fall into the wrong hands.