I accidently set the s3 bucket policy to deny all actions to a bucket for all users
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
Now I cant delete anything in the bucket or even remove the bucket. I can't do anything to the bucket anymore. I can't even remove it with cloudformation.
Is there a way to undo this or somehow remove this bucket?
To test this, I created a bucket and added this Bucket Policy:
{
"Id": "TryThis",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NoBucket",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": "*"
},
{
"Sid": "NoObjects",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": "*"
}
]
}
Indeed, I was unable to:
List contents
Upload objects
Edit the Bucket Policy
However, I was able to use the Delete Bucket command in the AWS Management Console.
I then repeated the experiment and logged in using my Root Credentials. I was then able to delete the Bucket Policy and restore all functionality to the bucket. Root credentials have full access to an AWS account.
Related
I have an IAM user created with a policy for my bucket. With "public block access" enabled I can interact with the bucket as expected through this user.
Now I need to make a single public read-only folder using bucket policies, but I am not having any luck. I created the below policy which should
Disable all access to all principles
Enable all access for my IAM user
Enable read-only access to specific folders for all users.
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
I guess you cannot layer up access in this way, but I am unsure how to construct what I need. If I go with a single read policy to open up one folder, I still seem to be able to access all other folders publically too:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
I can access "/public" but can still access "/private" too.
I need a way first to lock down the entire bucket and then open up the folders I want to provide access for?
Your policy is failing because Deny always overrides an Allow.
The first statement in the policy will Deny access to the bucket for everyone (including you!).
Your second policy on arn:aws:s3:::bucket-name/public/* is the correct way to go. It will only grant anonymous access to that particular folder.
If you are able to access other folders, then either there are other policies that exist, or you are using "authenticated access" using your own AWS credentials. Make sure when you test it that you are putting a URL into a web browser that simply looks like: https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt
I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket after that then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
now I am not sure what exactly I also enable or disable like public access or something
also, i don't know I have to give a policy to the bucket or access point
I want to restrict aws s3 bucket to not get access from anywhere, I want block all access public, private, bucket, folder, file everything of that bucket
Use this policy to restrict all access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAll",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
then i want to create an access point of s3 then I want to give permission to an IAM user so that only that IAM user can perform all action but only that IAM user
Use this policy to restrict all access except for one IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptRole",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "IAM-ROLE-ARN"
}
}
},
{
"Sid": "AllowRole",
"Effect": "Allow",
"Principal": "IAM-ROLE-ARN",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
In AWS Account B i have S3 bucket with the following bucket policy:
allow to put from Account A (working fine)
allow to list from Account C (working fine)
allow to get object from Account C (not working fine)
The policy is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT_A"
},
"Action": "s3:PutObject",
"Resource": "MYBUCKET/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT_A"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "MYBUCKET"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ACCOUNT_C"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"MYBUCKET/*",
"MYBUCKET"
]
}
]
}
Why from AWS Account C i can List but not GetObject ? (i do suspect it's because of the ownership: it's Account A who is the owner, but how to fix it)
Thanks,
If objects are upload to an Amazon S3 bucket from a different AWS Account, then the 'ownership' of the object will remain with the account that uploaded the object. This can be rather frustrating because the owner of the bucket can't even access the object!
There are two ways to avoid this...
Assign ownership
When uploading the object specify an Access Control List (ACL) that assigns ownership to the owner of hte bucket:
ACL='bucket-owner-full-control'
Turn off ACLs
You could Disable ACLs for your bucket - Amazon Simple Storage Service, which avoids the whole problem. In fact, this should probably be the default option for all buckets.
Its found that the S3 bucket in our account got applied with wrong bucket policy, now the access is denied for all users including root user
"bucketName": "somebucket",
"bucketPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt15348761457344",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::dhasg",
"Principal": "*"
},
{
"Sid": "Stmt153478299578",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::somebucket",
"Principal": "*"
}
]
We are not able to change the permission through AWS console and CLI and not able to delete the bucket also. How to fix it?
You should be able to edit the bucket policy as root. You will not be able to delete the bucket, even as root until you modify the policy.
I want to migrate s3 bucket from one account to another account here is my bucket policy
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test123",
"arn:aws:s3:::test123/*"
]
},
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:root"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::test123"
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxx:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test123/*"
}
]
}
here is my IAM user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::*"]
}
]
}
When I run command
aws s3 sync s3://test123 s3://abc-test123
I get Error
A client error (AccessDenied) occurred when calling the CopyObject operation: Access Denied
Your bucket policy seems to be correct.
Please verify that you are using root account, just as specified in your bucket policy.
Also you may need to check if there is not any denied bucket policies on your destination bucket.
If nothing helps, you can enable temporary public access to your bucket as a workaround. Yes, it's not secure but it should probably work in all cases.
Make sure you are providing adequate permissions on both the source bucket (to read) and the destination bucket (to write).
If you are using Root credentials (not generally recommended) for an Account that owns the bucket, you probably don't even need the bucket policy -- the root account should, by default, have the necessary access.
If you are assigning permissions to an IAM user, then instead of creating a Bucket Policy, assign permissions on the IAM user themselves. No need to supply a Principal in this situation.
Start by checking that you have permissions to list both buckets:
aws s3 ls s3://test123
aws s3 ls s3://abc-test123
Then check that you have permissions to copy a file from the source and to the destination:
aws s3 cp s3://test123/foo.txt .
aws s3 cp foo.txt s3://abc-test123/foo.txt
If they work, then the sync command should work, too.