I am trying to give access permission for S3 bucket in account to another account.
For the created bucket in permission tab there is an option of Access for other AWS accounts. Under that I am seeing an Add Account button. I clicked it and gave my other account from which I want to access this bucket.
However, I am getting an Invalid ID error.
If you wish to grant access to specific User in a different account, it's quite simple. (I don't think this method will work for giving access to a different Account.)
Let's say you have:
Account A with Bucket A that you own
Account B with User B to which you wish to grant access
Ask User B for the ARN associated with their IAM User. This can be seen in the IAM Management Console and it will look like:
arn:aws:iam::123456789012:user/fred
Then, add a Bucket Policy to Bucket A:
{
"Version": "2012-10-17",
"Id": "S3AccessPolicy",
"Statement": [
{
"Sid": "GiveFredAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/fred"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
}
]
}
This will allow Fred to access the S3 bucket. This works for users in the same account AND for users in a different account.
For getting the canonical ID, one of the simplest ways is to use CLI and run
aws s3api list-buckets command.
You will get the ID in the output.
There are other ways also for getting the canonical ID and are clearly described in the aws docs: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html
You need the "canonical user id". You can find out about this here.
To view your canonical user ID as a root user (console)
Sign in as the root user using your AWS account email address and password.
... snip ...
In the top right of the console, choose your account name or number. Then choose My Security Credentials.
If necessary, in the dialog box, choose Continue to Security Credentials. You can choose the box next to Don’t show me this message again to stop the dialog box from appearing in the future.
Expand the Account Identifiers section to view your canonical user ID.
Note
If you do not see the Account Identifiers section, then you are not signed in as the root user. Return to Step 1 above. If you do not have access to the root user credentials, contact your AWS account administrator and ask them to retrieve the canonical user ID.
Related
Scenario:
I have 3 AWS root accounts in the same organization.
admin#mydomain.com
user1#mydomain.com
user2#mydomain.com
user1 created an S3 bucket B1. I want user2 and admin to be able to see and browse B1 on their own S3 dashboard. Is this possible? What policy(policies) that I need to create? Where do I create these policies and how to create them?
**The original question has been edited. Some answers below might not be relevant any more
I believe all you need to do is add Principal: "*" to the policy. This opens access to anyone, but the condition will limit it to the org.
As far as I know, I cannot do the S3 bucket console sharing between root users. I've finally managed to share the bucket created by user1 with an IAM user.
Steps for Root User
Login into AWS console and go to IAM
Create group
Create IAM policy i.e. allowing S3 full access (see below)
Attach policy to group
Create IAM user
For Access type choose AWS Management Console access
Add user to the group you created in step 1
Follow through until you click on create user button
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxvvvwww8"
}
}
}
]
}
EDIT:
After rigorous trial & error testing, it seems that we don't even need bucket policy for this to work. I've removed the bucket policy and it all still works!
Steps for IAM User
Log into AWS console as IAM user
Go to S3 console. You should be able to see and browse all buckets and objects created by all organization members
Note
Your IAM user would not be able to see the bucket listed on its S3 console dashboard. That shared bucket can only be accessed through direct link. So your root user must provide the URL i.e. https://s3.console.aws.amazon.com/s3/buckets/bucket1/ to your IAM user
I have just started with a new company and I need to modify contact info on AWS. Any attempt gives me the error
Access Denied, you need ModifyAccount to modify this page.
I have given my user that the following policy with no luck.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}
I have also attempted a policy with just
aws-portal:modfiyAccount
and a policy allowing all actions on all resources. What is stopping me from modifying contact info on AWS account?
Tasks that require root user credentials
Tasks
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.
Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
Activate IAM access to the Billing and Cost Management console.
View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc or Amazon Internet Services Pvt. Ltd (AISPL).
and so on .
I have an application where I am using Cognito to authenticate users and giving temporary access to AWS Console but that user is able to see all other buckets, I want that user just should be able to see or access buckets created by him.
Currently, I have given S3FullAccess Policy to Cognito users. Can anyone suggest which policy I should attach?
As per my R&D, I can some policies are there that can restrict particular user or allow particular user but my users will be dynamic, so I cannot hard-code the values and also policies like allowing/restricting access to particular buckets, I want only users who create buckets should be able to access not other users.
This is something which i found
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:userid}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:userid}",
"arn:aws:s3:::bucket-name/home/${aws:userid}/*"
]
}
]
}
But this is listing all buckets and the only accessible bucket is what put in the code above, I want for new user, it should show nothing and as it creates, it should show that only
This is not going to be easy and you will need to create your own policy and enforce some conventions. You have 3 options.
But first, if each user just needs their own S3 space look at S3 Prefix [here](
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/) Also, you can do this on the S3 resource bucket. I have a template for doing this here in gitlab
Now back to answering your question.
Option 1; They will need to set a tag when they create the bucket where an "owner" tag is equal to their identity. I striked this one out because despite being listed in the IAM policy I'm pretty sure it doesn't work with S3.
Option 2: The prefix of the bucket name is equal to their identity.
Then you can use the feature of variables and tags in IAM Policy. Read here
Note that coginto users are web federated identities so the variable aws:username is not aviable for you. Use the aws:userid variable and the value will be role id:caller-specified-role-name where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request
Option 3: Use IAM Access Policy
I can not find a link to the how to at the moment. But from here is a detailed description.
Q: How do I control what a federated user is allowed to do when signed in to the console?
When you request temporary security credentials for your federated
user using an AssumeRole API, you can optionally include an access
policy with the request. The federated user’s privileges are the
intersection of permissions granted by the access policy passed with
the request and the access policy attached to the IAM role that was
assumed. The access policy passed with the request cannot elevate the
privileges associated with the IAM role being assumed. When you
request temporary security credentials for your federated user using
the GetFederationToken API, you must provide an access control policy
with the request. The federated user’s privileges are the intersection
of the permissions granted by the access policy passed with the
request and the access policy attached to the IAM user that was used
to make the request. The access policy passed with the request cannot
elevate the privileges associated with the IAM user used to make the
request. These federated user permissions apply to both API access and
actions taken within the AWS Management Console.
The nice thing about this approach is you programmatically create the access policy.
Want to view, list, modify the S3 bucket (s) and objects (s) in the linked account for manipulation purpose, but not able to.
Description:
I have a master account and three member account. I have logged in with the user 'Jagdish' to my master account and assumed a Admin role to different linked accounts in AWS. Now the situation is i want to access the bucket and its resources present in master account from one of my member account '1'. which i am not able to view or list at this point of time
Things didnt work:
I have logged in to the AWS master account, and modified its ACL policies to allow the member account ID full access
I have used the bucket policy in the master account bucket to allow access for member account (please refer code in below section)
I have tried to create a cross account role in master account, and then sts policy accessing the role from master account, but here in this case the problem is I have to assign this role particular user in the member account rather than root user. I want the permissions to be for the member root user
Used Service Control Policies (SCP) in master account to give full S3 access policy and assigned it to member account. but it didnt work
{
"Version": "2012-10-17",
"Id": "Policy15556916455366",
"Statement": [
{
"Sid": "Stmt155562234628751",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<member account number>:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdbucket-jagdish"
}
]
}
I want my member account (when i switch from master to member account) in AWS Organization to be able to view or list the bucket (s) from the master account. So that the bucket can be used for operations like reading or writing the files to that bucket.
How do I add a new superuser to my AWS account? I need this new user to have all the same privileges to manage AWS as the owner (me)?
As far as I know you can only maintain one set of root account credentials with one owner per account. Even if this is an account you maintain yourself, Amazon recommends creating an IAM user for yourself with administrative privileges to keep the root account credentials secure.
In order to add a user with the same privileges, from your root account you can create that user in the IAM console and grant the user Administrator access with the full-admins policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
To allow the user to access the Account Activity and Billing section, you need to activate the pages in the "IAM user access to the AWS" section on the Manage Your Account Page from your root account.
That should give the user the same level of access as the account owner without passing out the root credentials.