AWS S3: user policy for specifc bucket - amazon-web-services

I just setup my AWS S3.
My application works with full-admin-acces-keys, but because this can be risky, I want to setup an IAM-user with an IAM-group and allow only S3-stuff for him.
My bucket is located in eu-central-1 and its name is 'MYBCKET' in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MYBCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::MYBCKET/*"
]
}
]
}
This is NOT working. If I give the user the following policy it's working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
]
}
It has to be something with the resource for sure.
Can somebody explain to me what the resource consists of so that i can understand and hopefully find errors?
Just to tell you: I am sure I spelled my buckets name right and also I tried different combinations in the resource arn:aws:s3:::MYBCKET/* AND arn:aws:s3:::MYBCKET and some other that did not work.
Thanks for your answers and time.


I don't see anything wrong with your policy, if the intent is the user should access the bucket programatically.
If the user also needs to be able to access the policy thru the console, you could try this instead which will allow the user to list the buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3::: MYBCKET"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3::: MYBCKET/*"]
}
]
}

Related

Copying S3 files from one account to another

I am trying to simply copy some files from another S3 account to mine, but I am constantly facing the following error -
An error occurred (AccessDenied) when calling the UploadPartCopy operation: Cannot access through this access point
I have added policies on the IAM user and the bucket for the required copy-paste operation-
IAM Policy (Destination User)-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:us-west-2:620889225884:accesspoint/bulian-ai-mdl-parquet-1-access-point/*",
"arn:aws:s3:us-west-2:620889225884:accesspoint/bulian-ai-mdl-parquet-1-access-point",
"arn:aws:s3:::bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias/*",
"arn:aws:s3:::bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias",
"arn:aws:s3:::mobilelocationfeed.parquet.usw2.onemata.com/*",
"arn:aws:s3:::mobilelocationfeed.parquet.usw2.onemata.com"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::bulianai/",
"arn:aws:s3:::bulianai/*"
]
}
]
}
Bucket Policy (Destination) -
{
"Version": "2012-10-17",
"Id": "Policy1611277539797",
"Statement": [
{
"Sid": "Stmt1611277535086",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::864295014592:user/bulian_demo"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bulianai/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Stmt1611277877767",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::864295014592:user/bulian_demo"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bulianai"
}
]
}
I am able to list the source files on the CLI therefore this account does have access to the source bucket, I am not quite sure what exactly the issue is over here.
Edit -
Source Bucket
s3://bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias/location_country=IN/output_year=2022/output_month=10/output_day=01/
Destination Bucket
s3://bulianai/OneMata/

Strange I have never seen such a usage of wildcards docs - https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
"s3:Get*",
"s3:List*",
"s3:Put*"
Your iam policy is missing permissions for source or destination bucket ( unclear what is source or destination)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
]
}
]
}
Follow this https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/

Object level restriction for s3 with IAM Role

I am trying to restrict user access at the object level in S3.
There are 2 folders in the s3 bucket. I am trying to give access to only one folder among the object.
The two folders are:
broker
carrier
This is the IAM Role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
But the user is able to access the carrier folder as well.
Could anyone suggest what am I missing?

If you add the following conditon:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
you user will not be able to enter carrier folder. It will still be visible in console. I don't think you can "hide" other folders, as this will break console access.
You can try the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket",
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}

unable to assign IAM and S3 Bucket policies to List/Get/Put

It has been 2 hours trying to figure it out. I have an IAM User s3readonly with following attached policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
and S3 Bucket Policy for MyBucket (changed names):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Read Only for s3readonly user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
However, even after so many changes I have arrived at above after, when I login as s3readonly, I get "Access Denied" in the S3 Dashboard
Can anyone help?

Create AWS Access Policy to Only 1 S3 Bucket

I'm trying to create a policy that allows access to only 1 bucket for our clients' WordPress backups using BackWPUp
This is after noticing that the default S3 Full Access policy allows full access to ALL buckets!
I tried following this article here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html
The policy looks like this (replaced the bucket name to an appropriate one) and it's not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
Receiving Error: S3 Service API: Access Denied
Then, I tried a simplified version:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyID",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Still no luck, with the same error. Any ideas? What am I missing?

Turns out I needed s3:ListBucketMultipartUploads and s3:GetBucketLocation to get it working properly.
Final version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": "s3:*"
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}

Bucket Policy Editor:Policy could not be parsed as a valid JSON string

I'm learning about AWS CLI, and I try to copy from a local folder to a bucket in S3. When I type the command the output returns this error:
upload failed: ./lalala.txt to s3://buecket_name/ An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
So I'm searching about this and the Internet tells me that the problem is in the bucket policy editor, so I try to edit the policy, but when I click in save the error is:
Bucket Policy Editor:Policy could not be parsed as a valid JSON string
My policy script:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets"
"Resource": "arn:aws:s3:::bucket-name*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
So I try to change the script adding the "principal", as someone recommends but the errors continue:
Policy could not be parsed as a valid JSON string
The current script:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:Sao Paulo:X1X8XX6YYY16X:name-bucket*"
},
"Principal": {
"AWS": [
"arn:aws:iam::AWS-account-ID:root"
]
}
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
What am I doing wrong?

You are missing a comma after the first Action part:
"Action": "s3:ListAllMyBuckets",
Validating JSONs can be done through services like jslint.

Policy for read/write to a specific bucket is as below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Actions",
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
],
"Action": [
"s3:DeleteObject",
"s3:PutBucketAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*",
"s3:List*"
],
"Effect": "Allow"
}
]
}
Also you can use Policy Simulator where you can select the policy and try out to make sure that the appropriate actions are selected to perform your API call without any issues.