I am new to Amazon IAM permissions. I created a group, added some users and then added a Policy, the one I found that suited me the most is called AmazonS3FullAccess policy, but I want to grant the group full access permission only to one of my buckets, not to all of them, how can I do that?
I assume AmazonS3FullAccess looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
In IAM Policies, things like buckets are identified by the element "Resource." You might notice the policy above specifies the resource as the wildcard character *. This means that the policy above applies to all S3 resources.
You can limit the policy to a single S3 bucket by specifying the ARN of the bucket you wish to use:
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
Related:
AWS Documentation - IAM Policy Elements Reference
AWS Documentation - S3 Bucket ARN Syntax
Related
Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.
Thanks for help
You can apply object level permissions to another account via a bucket policy.
By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.
An example bucket policy using the root of the account is below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
More information is available in the Bucket owner granting cross-account bucket permissions documentation
Fo that, you would need to provide a cross-account access to the objects in your buckets by giving the IAM role or user in the second Account permission to download (GET Object) objects from the needed bucket.
The following AWS post
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy.
In your case, you just need the Get object permission.
I have an Amazon AWS account and I'm using Amazon S3.
I'd like to give access to specific people to a Amazon S3 bucket.
Here's what I'd like to do :
Amazon AWS: Access limited to my account
Amazon S3: Access limited to my account
Bucket "website-photos": Access authorized to 3 people that will be able to read and write in the bucket through AWS management console.
Files in the bucket "website-photos": Public can read them.
How can I setup this config?
Just create an IAM policy and attach to the users you want to give access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
See: Amazon S3: Allows Read and Write Access to Objects in an S3 Bucket - AWS Identity and Access Management
The general approach is:
If you want something to be "public" (accessible by anyone), then use a Bucket Policy
If you want to only assign permissions to a specific IAM User, then attach a policy to the IAM User
If you want to only assign permissions to a group of IAM Users, then create an IAM Group, attach a policy and assign the group to the desired IAM Users
This is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:user/userName"
},
"Action": "*",
"Resource": "arn:aws:s3:::my-super-awesome-bucket-name-test/*"
}
}
Using AWS CLI I am able to list the contents of the bucket:
aws s3 ls s3://my-super-awesome-bucket-name-test
2017-06-28 19:50:42 97 testFile.csv
However, I can't upload files:
aws s3 cp csv_sum.js s3://my-super-awesome-bucket-name-test/
upload failed: ./csv_sum.js to s3://my-super-awesome-bucket-name-test/csv_sum.js An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Is there something else I need to do to grant my IAM user access? I added the required information via aws configure, is there something else needed?
This doesn't answer your specific question, but...
If you wish to grant Amazon S3 access to a specific IAM User, it is much better to assign a policy directly to the IAM User rather than adding them as a special-case on the S3 bucket policy.
You can similarly assign permissions to IAM Groups, and then any User who is assigned to that Group will inherit the permissions. You can even assign permissions for multiple S3 buckets this way, rather than having to modify several bucket policies.
I'm trying to transfer an S3 bucket to another since a developer is leaving our team. I created another AWS account with S3. I'm following these steps:
https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-s3/
The Bucket policy in for source AWS account works fine, but when I try the destination policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sourcebucket",
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::destinationbucket",
"arn:aws:s3:::destinationbucket/*"
]
}
}
And update only the sourcebucket and dest bucket items above with my account details, I get the error:
Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element
The destination policy in the article you cited is not a bucket policy. It's an IAM user or group policy.
Note the comment:
#User or group policy in the destination AWS account
This policy attaches to an IAM user or group in the IAM (as opposed to S3) console.
The source policy actually is a bucket policy, which is why it works as expected.
I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.
Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.
Or should I with each bucket add new ARN to the policy?
Again, I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.
An IAM policy can grant access to Amazon S3 buckets based on a wildcard.
For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeSID",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::assets-*",
"arn:aws:s3:::assets-*/*"
]
}
]
}
Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).
Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record
It is not possible to grant access to Amazon S3 buckets based on Tags.
ARN format
As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:
arn:aws:<service name>:<region>:<account>:<resource>
In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.
Yes indeed it appears I can use IAM policy with ARN arn:aws:s3:::assets-* and arn:aws:s3:::assets-*/*