I have a webpage hosted in S3 which is to be accessed only by specific users within the account. For testing purpose, I added below bucket policy which has my iam arn specified in the Principal but I'm getting access denied error when trying to access the page (which is in that bucket) via S3 url https://s3.amazonaws.com/..... despite being signed in.
Can you please let me know what i'm doing wrong here.
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "Policy1484430450679",
"Statement": [
{
"Sid": "Stmt1484430445422",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:user/testuser"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::testbucket/*"
}
]}
If I give Principal as '*', then the webpage is accessible via S3 url.
Related
I am trying to access and modify my s3 bucket through my web client. To do so, I've created a bucket and modified it in a way that it would allow public access.
My bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1646559824301",
"Statement": [
{
"Sid": "Stmt1646559821897",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::airsoftarmory-user-inventory/*"
}
]}
My CORS setting:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"HEAD",
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}]
ACL is enabled and looks like this:
For uploading an image to bucket, I created a new IAM user and a specific policy for putObject as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::airsoftarmory-user-inventory/*"
}
]
}
Used access keys of this user with policy attached inside my code.
The problem is, I am getting access denied response while both uploading and downloading. Can someone help me, what am I missing?
For me to troubleshoot this problem.
I will check if aws has been configured properly. You could follow this guide, and could try aws sts get-caller-identity to check if credentials works properly.
The IAM role for the user is only given for PutObject, so this will not allow user to be able get any object out from the bucket. Try adding more permission to this user such as GetObject permission. This will give the user authority to pull out data from the bucket.
The bucket policy at the bucket only allow for GetObject and does not allow for any PutObject. Again try adding the PutObject action to the bucket policy. This might also be the problem facing now of not able to upload object to the bucket.
If you are confused with IAM and bucket policy. Try reading these blogs:
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
https://binaryguy.tech/aws/s3/iam-policies-vs-s3-policies-vs-s3-bucket-acls/
Hope this helps!
I have a s3 bucket which does not have public access. I have a bucket policy but it was automatically generated when I connected a CDN to the bucket for a origin access Identity.
But thats all the policy has.
Bucket polices are dicks for me. Im wondering if this is in fact the problem or if it may be something else.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::shofi-mod/*"
}
]
}
for comparison here is the bucket policy of my other bucket that does have public access. I am looking at the two for clues of what it is I should do
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/shofi-stuff-bucket-user"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::shofi-stuff"
}
]
}
thank you so much kings
There's a few topics here.
The first bucket policy you have shown simply grants access to CloudFront via an Allow policy. It would not interfere with the pre-signed URL.
The second bucket policy (while not being directly relevant to your question) has an error in it. When using GetObject and PutObject, access must be granted to the contents of the bucket, no the bucket itself. (Whereas ListBucket does apply to the bucket.)
Therefore, the Resource should grant access to the bucket and the contents of the bucket:
"Resource": ["arn:aws:s3:::shofi-stuff", "arn:aws:s3:::shofi-stuff/*"]
As to why your pre-signed URL is not working, it would either be due to:
The underlying credentials (IAM User, IAM Role) that was used to generate the pre-signed URL does not have permission to perform the upload (perhaps due to a similar Resource problem), or
The pre-signed URL is being incorrectly generated
I am the root user of my account and i created one new user and trying to give access to s3 via s3 bucket policy:
Here is my policy details :-
{ "Id": "Policy1542998309644", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1542998308012", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::aws-bucket-demo-1", "Principal": { "AWS": [ "arn:aws:iam::213171387512:user/Dave" ] } } ]}
in IAM i have not given any access to the new user. I want to provide him access to s3 via s3 bucket policy. Actually i would like to achieve this : https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ But not from IAM , I want to use only s3 bucket policy.
Based on the following AWS blog post (the blog shows IAM policy, but it can be adapted to a bucket policy):
How can I grant a user Amazon S3 console access to only a certain bucket?
you can make the following bucket policy:
{
"Id": "Policy1589632516440",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589632482887",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-bucket-demo-1",
"Principal": {
"AWS": [
"arn:aws:iam::213171387512:user/Dave"
]
}
},
{
"Sid": "Stmt1589632515136",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-bucket-demo-1/*",
"Principal": {
"AWS": [
"arn:aws:iam::213171387512:user/Dave"
]
}
}
]
}
This will require user to url directly to the bucket:
https://s3.console.aws.amazon.com/s3/buckets/aws-bucket-demo-1/
The reason is that the user does not have permissions to list all buckets available. Thus he/she has to go directly to the one you specify.
Obviously the IAM user needs to have AWS Management Console access enabled when you create him/her in the IAM service. With Programmatic access only, IAM users can't use console and no bucket policy can change that.
You will need to use ListBuckets.
It seems like you want this user to only be able to see your bucket but not access anything in it.
I have set up the following information:
Created an AWS S3 bucket and Uploaded some images into the particular folder
Created an AWS CloudFront web distribution:
Origin Domain Name: Selected S3 bucket from the list
Restrict Bucket Access: Yes
Origin Access Identity: Selected existed Identity
Grant Read Permissions on Bucket: Yes, Update Bucket Policy
AccessDenied
Access denied
I have got the signed URL from the above process like
image.png?policy=xxxxx#signature=xxx#Key-Pair-Id=XXXXXXX
but I couldn't access the URL
Sample JSON for cloud front policy
{
"Statement": [{
"Resource": "XXXXXXXXXX.cloudfront.net/standard/f7cecd92-5314-4263-9147-7cca3041e69d.png",
"Condition": {
"DateLessThan": {
"AWS:EpochTime": 1555021200
},
"IpAddress": {
"AWS:SourceIp": "0.0.0.0/0"
},
"DateGreaterThan": {
"AWS:EpochTime": 1554848400
}
}
}]
}
Added CloudFront bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket_name/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name"
}
]
}
It looks like the AccessDenied error you're seeing has nothing to do with the steps you have mentioned, the Origin access identity it to allow CloudFront to access S3 using a special user using sigv4, using above steps, you'll see a allow statement added to the bucket policy.
If it's a error from S3, you'll see like 2 request ids, host and request Ids along with Access denied massage.
image.png?policy=xxxxx#signature=xxx#Key-Pair-Id=XXXXXXX
If you're seeing Access denied, the error is with CloudFront signed URL (restricted viewer access).
To see whats wrong with the generated CloudFront signed URL, try to base64 decode the policy value and see the Resource URL/expires etc are correct or not.
Suppose I have an S3 bucket that has "Everyone Read" permission. Bucket is not public. Means anyone can access objects by typing its url in the browser. Now I want to remove this access from URL thing in browser. One option is to go to each images and remove "Read" from "Everyone" section. But since there are huge amount of images so this is not feasible.
So can I put such bucket policy which allows access only from one IAM user and not from browser thing? I tried adding such bucket policy that allow access to all resources for only specific user but still images are accessible from browsing through URL. Any thoughts?
Edit: Adding policy that I tried
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-bucket-public-issue",
"Principal": {
"AWS": [
"arn:aws:iam::AccounId:user/Username"
]
}
}
]
}
Ok #Himanshu Mohan I will explain you what i have done. I have created a S3 bucket and then i added the below bucket policy
{
"Version": "2012-10-17",
"Id": "Policy1534419239074",
"Statement": [
{
"Sid": "Stmt1534419237657",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::xxx-xxx-test/*"
}
]
}
While adding this policy the bucket will automatically public
Then i have uploaded an image as what you referred and i was able to access the same image via browser.
Now I changed the policy back to as what you said
Now i was not able to access the image, will show the access denied xml response. The only difference i see is i have added the /* after the bucket name "Resource": "arn:aws:s3:::xxx-xxx-test/*".