I have an S3 bucket to upload files in the following path syntax:
arn:aws:s3:::XXX/{generated string}/logs/{file}
I require the bucket's root listing to be private and for a directory listing of each of the logs folders to be public.
The generated folder names are dynamically created so it would not be plausible to manually make each folder public.
I have attempted to use the S3 policy generator, to generate the following policy:
{
"Id": "PolicyID",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStatement",
"Action": [
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::XXX",
"Condition": {
"StringLike": {
"s3:prefix": "*/logs"
}
},
"Principal": "*"
}
]
}
However, upon attempting to save this policy AWS throws a "policy has invalid action" error.
How can I create a policy to fit these requirements?
Related
I am getting very frustrated with AWS today as it seems to provide validation errors that have literally no relevance to the actual issues (its almost like working on Windows 3.1 again) and the frustration keeps on coming with this latest irritation using the policies on S3.
I am trying to extend an existing S3 bucket policy on a bucket that has ACLs disabled, in order to enable server access logs.
I have extended the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MyS3Bucket/*"
},
-- NEW PART BELOW ---
{
"Sid": "S3ServerAccessLogsPolicy",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::MyS3LogsBucket/*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::MyS3Bucket"
},
"StringEquals": {
"aws:SourceAccount": "MyAccountId"
}
}
}
]
}
However, no matter if I follow the documentation found at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-migrating-acls-prerequisites.html#object-ownership-server-access-logs) or use the in-built policy generator within S3, or the other policy generator found at https://awspolicygen.s3.us-east-1.amazonaws.com/policygen.html.
I am constantly getting errors such as "Policy has invalid resource".
Please can someone tell me what is wrong with the above because the resource does exist and the name is copied directly from the resource itself, so there are no typos.
I suspect that you have the Source and Destination buckets switched.
Let's say:
Source bucket is the one that you want to track via Server Access Logging
Destination bucket is where you would like the logs stored
The policy should be placed on the Destination bucket. Here is the policy that was automatically created for me on my Destination bucket when I activated Server Access Logging:
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::destination-bucket/*"
}
]
}
It would seem that you are placing the policy on the Source bucket, based upon the fact that you have a policy that is making the entire bucket public, and the fact that you said you are 'extending' an existing policy.
Basically, the bucket that is referenced in Resource should be the bucket on which the policy is being placed. In your policy above, two different buckets are being referenced in the Resource fields.
I have created an S3 bucket and also an API through the AWS API Gateway to upload images to the bucket. The problem is, when I upload an image, to view that image I need to update the Access control list (ACL) to Public for each image separately. Even though I set everything to the public in the bucket permissions, still I have to update the ACL in each image to access them. How can I set the access level to "Public" for the whole bucket once?
This is my bucket permissions:
Access: Public
Block all public access: Off
Bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1647249671911",
"Statement": [
{
"Sid": "Stmt1647249649218",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucketname"
}
]
}
Access control list (ACL):
Your current policy is highly insecure and allows anyone to do pretty much anything with your bucket, including changing it policy or deleting it.
The correct bucket policy for public, read-only access is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
I have access to one of two AWS environments and I've created a protected S3 bucket in it to upload files to from an account in the one that I do not. The environment and the account that I don't have access to are what a project's CI uses.
environment I have access to: env1
environment I do not have access to: env2
account I do not have access to: user/ci
bucket name: content
S3 bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
...
},
{
"Sid": "Allow access to bucket from profile in env1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ci"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket*"
],
"Resource": "arn:aws:s3:::content"
},
{
"Sid": "Allow access to bucket items from profile in env1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ci"
},
"Action": [
"s3:Get*",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::content",
"arn:aws:s3:::content/*"
]
}
]
}
From inside a container that's configured for env1 and user/ci I'm testing with the command
aws s3 sync content/ s3://content/
and I get the error:
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
I have two questions:
Am I even using the correct aws command to upload the data to the bucket?
Am I missing something from my bucket policy?
For the latter, I've basically followed what a load of examples and answers online have suggested.
To test your policy, I did the following:
Created an IAM User with no policies
Created an Amazon S3 bucket
Attached your Bucket Policy to the bucket, and updated the ARN and bucket name
Tested access to the bucket with:
aws s3 ls s3://bucketname
aws s3 sync folder/ s3://bucketname/folder/
It worked fine.
Therefore, the policy you display appears to be giving all necessary permissions. It is possible that you have something else that is Denying access on the bucket.
The solution was to given the ACL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::content",
"arn:aws:s3:::content/*"
]
}
]
}
to user/ci in env1.
In AWS S3, I have one bucket named "Environments" under that I have 4 folders named "sandbox", "staging", "prod1" and "prod2" respectively and the permission of the whole bucket is "public".
Now I want to restrict One AWS user named "developer" to write anything into "prod1" and "prod2" folder but it can view them.
Kindly help me out with this
Create below policy and attach to a user developer
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Environments",
"arn:aws:s3:::Environments/sandbox/*",
"arn:aws:s3:::Environments/staging/*",
]
}
]
}
This policy allows to full permission to folder sandbox and staging, but restrict another folder to user developer
I am trying to limit a deny a specific user list, read, and write access to a specific folder in my bucket. I am able to allow the user to see other folders, but on adding a deny policy to the account (added through groups), I get an access denied message.
This is what I have for the deny access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::myBucket",
"Condition": {
"StringLike": {
"s3:prefix": "Admin/*"
}
}
}
]
}
In theory, I would like to limit a certain user to not be able to do the above regarding the Admin folder, however they still need to be able to view the bucket for other folders.
I have also tried:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1516743098844",
"Action": [
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucket/Admin/*",
"Principal": {
"AWS": [
"arn:aws:iam::11111111:user/Jenny"
]
}
}
]
}
Both of the above JSON statements were created using the Policy Generator for S3 Bucket Policy and IAM Policy.
Any clue on how to deny list access to a folder but allow viewing the bucket?
Your first statement works perfectly fine for me!
$ aws s3 ls s3://my-bucket/
PRE Admin/
PRE other/
2018-01-23 16:33:07 15091 cat.jpg
$ aws s3 ls s3://my-bucket/other/
2018-01-23 16:34:02 91 foo
$ aws s3 ls s3://my-bucket/Admin/
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied