I'm trying to transfer an S3 bucket to another since a developer is leaving our team. I created another AWS account with S3. I'm following these steps:
https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-s3/
The Bucket policy in for source AWS account works fine, but when I try the destination policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sourcebucket",
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::destinationbucket",
"arn:aws:s3:::destinationbucket/*"
]
}
}
And update only the sourcebucket and dest bucket items above with my account details, I get the error:
Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element
The destination policy in the article you cited is not a bucket policy. It's an IAM user or group policy.
Note the comment:
#User or group policy in the destination AWS account
This policy attaches to an IAM user or group in the IAM (as opposed to S3) console.
The source policy actually is a bucket policy, which is why it works as expected.
Related
I have created bucket poc-work from admin account, and under this policy I have set policy like below:
{
"Version": "2012-10-17",
"Id": "Policy1620674317608",
"Statement": [
{
"Sid": "Stmt1321974214233",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accound-id:user/iam-user"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::poc-work",
"arn:aws:s3:::poc-work/*"
]
}
]
}
I have not attached any aws managed policy like s3readonly to IAM user , but I am under assumption that setting bucket policy should make bucket visible to IAM user . But when IAM user log in and check for s3 service there is error message:
You don't have permissions to list buckets
I have below queries:
can't I create bucket policy that enables list s3 buckets ?
Is it necessary to attach policy already defined browsing on IAM console and then rest of operations control with bucket policy ?
You are giving the user permission for one bucket, but if the user is going through the console the user needs the ListAllBuckets permission to see all the buckets that exist in the account. So you do need to add permissions to the IAM user as well--not just the one bucket.
Also see:
https://acloud.guru/forums/s3-masterclass/discussion/-L6X96Lo37ZnG_g6wiEg/ListBucket%20vs%20ListAllMyBuckets
https://stackoverflow.com/a/30961920/230055
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html
The 1st link says:
ListAllMyBuckets is required for seeing the list of buckets via the
AWS console. It is a MUST if you plan to use the console for S3
administration. If you don't have this permission you basically won't
see any of the buckets in the S3 console despite whatever other
permissions you have configured and therefore can't take any action
upon them.
Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.
Thanks for help
You can apply object level permissions to another account via a bucket policy.
By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.
An example bucket policy using the root of the account is below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
More information is available in the Bucket owner granting cross-account bucket permissions documentation
Fo that, you would need to provide a cross-account access to the objects in your buckets by giving the IAM role or user in the second Account permission to download (GET Object) objects from the needed bucket.
The following AWS post
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy.
In your case, you just need the Get object permission.
This is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:user/userName"
},
"Action": "*",
"Resource": "arn:aws:s3:::my-super-awesome-bucket-name-test/*"
}
}
Using AWS CLI I am able to list the contents of the bucket:
aws s3 ls s3://my-super-awesome-bucket-name-test
2017-06-28 19:50:42 97 testFile.csv
However, I can't upload files:
aws s3 cp csv_sum.js s3://my-super-awesome-bucket-name-test/
upload failed: ./csv_sum.js to s3://my-super-awesome-bucket-name-test/csv_sum.js An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Is there something else I need to do to grant my IAM user access? I added the required information via aws configure, is there something else needed?
This doesn't answer your specific question, but...
If you wish to grant Amazon S3 access to a specific IAM User, it is much better to assign a policy directly to the IAM User rather than adding them as a special-case on the S3 bucket policy.
You can similarly assign permissions to IAM Groups, and then any User who is assigned to that Group will inherit the permissions. You can even assign permissions for multiple S3 buckets this way, rather than having to modify several bucket policies.
I am new to Amazon IAM permissions. I created a group, added some users and then added a Policy, the one I found that suited me the most is called AmazonS3FullAccess policy, but I want to grant the group full access permission only to one of my buckets, not to all of them, how can I do that?
I assume AmazonS3FullAccess looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
In IAM Policies, things like buckets are identified by the element "Resource." You might notice the policy above specifies the resource as the wildcard character *. This means that the policy above applies to all S3 resources.
You can limit the policy to a single S3 bucket by specifying the ARN of the bucket you wish to use:
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
Related:
AWS Documentation - IAM Policy Elements Reference
AWS Documentation - S3 Bucket ARN Syntax
I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.
Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.
Or should I with each bucket add new ARN to the policy?
Again, I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.
An IAM policy can grant access to Amazon S3 buckets based on a wildcard.
For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeSID",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::assets-*",
"arn:aws:s3:::assets-*/*"
]
}
]
}
Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).
Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record
It is not possible to grant access to Amazon S3 buckets based on Tags.
ARN format
As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:
arn:aws:<service name>:<region>:<account>:<resource>
In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.
Yes indeed it appears I can use IAM policy with ARN arn:aws:s3:::assets-* and arn:aws:s3:::assets-*/*