We Keep Coding

Cross account S3 access with CannedACL

We have a usecase where we put objects in an S3 bucket which is in different account than ours. We do that using IAM user. This is working fine.
We’ve now replaced IAM user based access with IAM role based access. Hence instead of IAM user I have created an IAM role and I have put identical permissions (same as IAM user) for IAM role at all places(on IAM role, on S3 bucket).
But it’s giving 403 error when I try to put an object in that bucket. What could be the reason (Shall I whitelist the sts arn on bucket ? Do we need to change bucket ACLs in anyway ?)
The S3 bucket has following policy attached
IAM role in account A is : arn:aws:iam::AAAAAA:role/my-role
Bucket in account B is : arn:aws:s3:::bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Development Write Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AAAAAA:role/my-role"
]
},
"Action": "s3:Put*",
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Allow Development Read Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AAAAAA:role/my-role"
]
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
]
}
]
}
I'm accessing it with the following piece of code:
s3Client.putObject(new PutObjectRequest(bucketName, key, file)
.withCannedAcl(CannedAccessControlList.BucketOwnerFullControl));
What could I be missing here?

This is fixed now. There was server side encryption enabled for that S3 bucket and my IAM role didn't have permission to KMS key used for encryption. Once this role given permission to KMS key it worked.
I didn't have to use that KMS key while making a putObject request, not sure why it required permission to KMS key then.
Also I could list the buckets (before the KMS key permission given) but couldn't put object (strange!)

Why is this s3 Bucket policy invalid?

{
"Version": "2012-10-17",
"Id": "Policy1612574490300",
"Statement": [
{
"Sid": "Stmt1612574488073",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:ec2:us-east-1:258977512672:instance/i-041123c1993c370ba"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
response is Invalid Principal. I dont see why it's invalid.

An EC2 instance isn't a valid principal. I think what you actually need to do here is use the ARN of the IAM role assigned to the EC2 instance.

You can specify following Principal in a policy
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
S3 Documentation Principal
AWS JSON policy elements: Principal
If you wanna give that instant access to the bucket then you can use Instance profiles

IAM Role policy for cross account access to S3 bucket in a specific AWS account

Allow access from IAM Role in AccountA to given S3 buckets only if they are present in AWS AccountB (using Account Number).
Here is my Role policy in AccountA which currently has following permission. How can I update it to only access S3 bucket in AccountB.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::kul-my-bucket/my-dir/*"
]
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::kul-my-bucket"
]
}
]
}
Wondering if it is possible or should I try it differently?
Is anything similar to this possible for my case by providing the condition in the policy:
"Condition": {
"StringLike": {
"aws:accountId": [
"111111111111"
]
}
}
I need this because on the S3 bucket in AccountB it allows root access to AccountA. Hence I want to put restriction on Role policy in AccountA.

I do not think it is possible to grant/deny access to an Amazon S3 bucket based on an AWS Account number. This is because Amazon S3 ARNs exclude the Account ID and instead use the unique bucket name.
You would need to grant Allow access specifically to each bucket by name.
I have seen this situation before where the requirement was to grant S3 permission to access buckets only in other accounts, but not the account owning the IAM User themselves. We could not determine a way to do this without also granting permission to access the "same account" S3 buckets.

AWS: Could not able to give s3 access via s3 bucket policy

I am the root user of my account and i created one new user and trying to give access to s3 via s3 bucket policy:
Here is my policy details :-
{  "Id": "Policy1542998309644",  "Version": "2012-10-17",  "Statement": [    {      "Sid": "Stmt1542998308012",      "Action": [        "s3:ListBucket"      ],      "Effect": "Allow",      "Resource": "arn:aws:s3:::aws-bucket-demo-1",      "Principal": {        "AWS": [          "arn:aws:iam::213171387512:user/Dave"        ]      }    }  ]}
in IAM i have not given any access to the new user. I want to provide him access to s3 via s3 bucket policy. Actually i would like to achieve this : https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ But not from IAM , I want to use only s3 bucket policy.

Based on the following AWS blog post (the blog shows IAM policy, but it can be adapted to a bucket policy):
How can I grant a user Amazon S3 console access to only a certain bucket?
you can make the following bucket policy:
{
"Id": "Policy1589632516440",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589632482887",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-bucket-demo-1",
"Principal": {
"AWS": [
"arn:aws:iam::213171387512:user/Dave"
]
}
},
{
"Sid": "Stmt1589632515136",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-bucket-demo-1/*",
"Principal": {
"AWS": [
"arn:aws:iam::213171387512:user/Dave"
]
}
}
]
}
This will require user to url directly to the bucket:
https://s3.console.aws.amazon.com/s3/buckets/aws-bucket-demo-1/
The reason is that the user does not have permissions to list all buckets available. Thus he/she has to go directly to the one you specify.
Obviously the IAM user needs to have AWS Management Console access enabled when you create him/her in the IAM service. With Programmatic access only, IAM users can't use console and no bucket policy can change that.

You will need to use ListBuckets.
It seems like you want this user to only be able to see your bucket but not access anything in it.

How can I allow cognito users to access their own S3 folders

What I want is to let groups (families) of aws cognito users to read/write to S3 buckets which should be only available for those families of users.
I created a user with boto3 python library. Now I need to grant this user access to their folder in the bucket.
I found a few posts which suggested to create bucket policy like this:
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant user access to his folder",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::BUCKET/users/${cognito-identity.amazonaws.com:sub}",
"Condition": {
"StringLike": {
"cognito-identity.amazonaws.com:sub": [
"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"us-east-1:yyyyyyyy-xxxx-xxxx-xxxx-xxxxxxxxxx"
]
}
}
}
]}
But it turns out we can not specify "cognito-identity.amazonaws.com:sub" in bucket's policy condition.
Any help is highly appreciated.

I think the policy you have above needs to be in the IAM role for an authenticated user, not part of a bucket policy.