I'd have some experience with S3 bucket policies but recently I've started experimenting with IAM users/groups and S3 bucket ACLs. What bothers me is that I fail to understand how they work together. Who overwrites what? What I want to accomplish is to have specific IAM user (with credentials) that will be used as for uploading in my application. I've attached IAM Policy to it that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
This policy is attached to the IAM user. Then I've created following policy on S3 Bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DefaultPrivate",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::xxxxx-xxxxxx-xxxx/*"
},
{
"Sid": "ThumbnailAndGaleryReadOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxx-xxx-xxxx-xxxx/*/xxxxx/*",
"arn:aws:s3:::xxxxx-xxxxx-xxxxx/*/xxxxxxx/*"
]
},
{
"Sid": "S3UploaderWrite",
"Effect": "Allow",
"Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::xxxxxxxxxxxx/*"
}
]
}
Unfortunately as long as "Deny" block is present in the S3 policy - it doesn't allow my S3 user to upload files. Is it possible that I can't "override" Deny for specific user with the "Allow" block (IAM identifier is ok - I've double checked). Removing "Deny" blocks get it to work but ... That's not the point.
Any comments about the issue? How to explicitly deny everything and then allow only certain actions for certain IAM users/groups/roles ?
Thanks.
U could remove deny principal *. U could specify ur denied user or roles like "Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"}. Its solve ur problem.
Related
I have an identity pool which has the following policy attached to the authenticated users role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:CreateBucket"
],
"Resource": "arn:aws:s3:::*"
}
]
}
And I have the following bucket policy applied on an S3 bucket called testbucketoz123
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucketoz123",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
}
]
}
Correct me if I am missing something, but I think the above bucket policy allows just the user with the Cognito Identity ID "099702b2-0c2e-42ce-8e27-3012ab6032ad" to perform the actions "s3:PutObject" and "s3:GetObject" on all objects within the S3 bucket testbucketoz123. It also allows the same user to list the contents of the testbucketoz123 bucket.
My questions are:
Can any authenticated user access the 'testbucketoz123' bucket or just the Cognito User with the Cognito Identity ID 099702b2-0c2e-42ce-8e27-3012ab6032ad?
Note
I have set the same bucket policy, but the authenticated users were having the AWSS3FullAccess Permission, and the result was:
Every authenticated user has access to the 'testbucketoz123' bucket despite the bucket policy.
I assume that if a user has the AWSS3FullAccess policy, it would allow them full access to all S3 buckets within your account, regardless of any other policies that may be in place.
If so, how to limit access of a bucket to just one Cognito user? Thanks in advance
Bucket policies and user policies are two access policy options available for granting permission to your Amazon S3 resources.
This means either can Allow access, and your first policy allows access to testbucketoz123 and it's objects.
In addition to the Allow on aws:PrincipalTag/CognitoIdentityId you can add a corresponding Deny when the Condition is not met. However, be careful not to over-Deny Actions, otherwise your administrators will not be able to manage the bucket.
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
},
{
"Sid": "DenyNonCognitoUserAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucketoz123/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalTag/CognitoIdentityId": "099702b2-0c2e-42ce-8e27-3012ab6032ad"
}
}
}
Our EC2s are secured using IAM roles. When trying to run an AWS console command such as aws s3 cp I am seeing:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
If allowed based on specific users that are given keys, there are no issues. This just isn't working with roles.
Here is the bucket ACL:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Public",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "Devs",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::1234567890:user/DevUser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/something-privileged/*"
},
{
"Sid": "EC2s",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/EC2Role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/something-privileged/*"
},
]
}
As you can see, we want the public to generally be able to fetch objects that we link to. This works.
We want devs to be able to access a specific hidden folder in the bucket using their AWS keys. This works.
We want EC2s to be able to run aws-cli commands on that same hidden folder using only the assigned security role. This does not work.
I also tried "Effect": "Deny", "NotPrincipal": { ... } on the EC2 statement but that didn't work either.
What's wrong with this ACL?
You have a Deny statement in this where the principal is not that specific IAM user. In any AWS privilege a deny will always override an allow which is the scenario happening here.
To allow this here you will need to include the IAM role arn in the NotPrincipal statement as well. This would look like the below statement.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Public",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "Devs",
"Effect": "Deny",
"NotPrincipal": {
"AWS": ["arn:aws:iam::1234567890:user/DevUser", "arn:aws:iam::1234567890:role/EC2Role"]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/something-privileged/*"
}
]
}
I was moving S3 bucket from source bucket to destination bucket.
below is reference to do the work.
https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/?nc1=h_ls
but I've got error while making policy. error message is Policy has invalid resource
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>",
"arn:aws:s3:::<DESTINATION_BUCKET_NAME>/*"
]
}
]
}
I had changed policy for test and It worked. difference is as follows.
arn:aws:s3:::<SOURCE_BUCKET_NAME> > arn:aws:s3:::<DESTINATION_BUCKET_NAME>
I don't know why It doesn't work if I fill out my SOURCE_BUCKET_NAME.
I swear source bucket name is not wrong. you might think that question is like a fool and I also assume It'll be nothing but I couldn't find any point. Please give me a hand if you know the answer. thanks for reading :)
+ be added
bucket policy that I attached to the source bucket.
replaced principal is ARN of the IAM identity in target(destination) account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:user/ws.kim"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<SOURCE_BUCKET_NAME>/*",
"arn:aws:s3:::<SOURCE_BUCKET_NAME>"
]
}
]
}
The reason is that this is invalid bucket policy. Instead it should be managed IAM policy that you create and attach to IAM role or user.
Please check the How can I copy S3 objects from another AWS account? article again and you will be able to properly setup this policy.
I have created IAM policy and assigned to IAM user.
Please find the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testingbucket00"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::testingbucket00/*"
}
]
}
I unchecked "Block new public bucket policies" for s3 bucket testingbucket00.
I tried login aws console using IAM user listing all buckets, but showing "Access as Error".
I want to assign a single bucket to IAM user, please help on this.
Even though this IAM user sees 'Error' as the Access value on s3 console, he has access given in the policy document to the bucket 'testingbucket00'.
However, if it is required to see the correct Access value, this IAM user needs to have permission to read bucket permissions.
Add below permissions to the actions of the first (VisualEditor1) statement.
"s3:GetBucketPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus"
Its found that the S3 bucket in our account got applied with wrong bucket policy, now the access is denied for all users including root user
"bucketName": "somebucket",
"bucketPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt15348761457344",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::dhasg",
"Principal": "*"
},
{
"Sid": "Stmt153478299578",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::somebucket",
"Principal": "*"
}
]
We are not able to change the permission through AWS console and CLI and not able to delete the bucket also. How to fix it?
You should be able to edit the bucket policy as root. You will not be able to delete the bucket, even as root until you modify the policy.