I create an s3 bucket via terraform for the purpose of storing VPC Flow Logs:
resource "aws_s3_bucket" "bucket" {
bucket = local.bucket_name
force_destroy = true
tags = var.tags
}
After the bucket is created, and flow-log service is created, there are a few entries under "/AWSLogs/..."
after I remove the flow-log service I attempt the terraform destroy, but it fails with the following entry, one for each object:
deleting: S3 object (AWSLogs/.../...98d659c.log.gz) version (null): AccessDenied: Access Denied
there are no policies, because they get deleted first.
ACLs are bucket owner and s3 log delivery group have full access, the rest are turned off. and owner is set to data.aws_canonical_user_id.current.id
ACL permissions are not quite enough. The IAM role you are using requires the s3:DeleteObject* permissions.
Related
(+)
I just found a similar question and answer with help from petrch (thanks!) and being try to apply...
CodeBuild upload build artifact to S3 with ACL
I'm updating accountB's S3 bucket by accountA's CodeBuild project.
A problem is, all the object from accountA's CodeBuild deny to access.
My purpose is using this S3 bucket for static hosting.
I set all requirements for static hosting and it's working fine when I uploaded simple index.html manually.
But the individual object from accountA's CodeBuild project show below attached error.
ex) index.html properties & permission
I checked the Disable artifact encryption option in the artifact setting in the CodeBuild project.
and also on the override params,
encryptionDisabled: true
This code build project is working fine when I save the output in the same account S3.
(S3 static hosting site in AccountA is working well)
But getting access issue in accountB's S3.
Before try to touch KMS policy, I want to know if I missed some configurations in the CodeBuild.
Please advice me what I have to do or missed...
Thanks.
(+)
I just found a similar question and answer with help from petrch (thanks!) and being try to apply...
CodeBuild upload build artifact to S3 with ACL
Upload the objects with bucket-owner-full-control canned ACL, otherwise the objects will be still "owned" by the source account.
See:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
It says:
Amazon S3 access control lists (ACLs) enable you to manage access to buckets and objects. Each bucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions.
When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource. This is shown in the following sample bucket ACL (the default object ACL has the same structure)
So the object has ACL of the source bucket, it's not very obvious, but you can provide an ACL during the PutObject action from the source account. So it can still be just one call.
Background
I am working on a task to generate AWS QuickSight report in Account B from AWS Systems Manager Inventory data in the Account A S3 bucket (s3 sync).
I have successfully added all the resource sync data in to cross account (Account A) S3 bucket using SSM resource data sync. Bucket is encrypted using AWS-KMS key (key is located in Account A) and same key has been used in resource data sync in the all accounts to add data in cross account bucket.
Moreover, I am using Athena in Account B to create sample database and schemas from S3 Sync data.
Problem
Athena can create successfully database and schemas in Account B and also add metadata from Account B to Account A S3 bucket. It keeps showing access denied when I am trying to see "preview table".
Error
Your query has the following error(s):
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3F5896D43C82733B; S3 Extended Request ID
(Path: s3://bucket/AWS:Application/accountid=../region=us-east-1/resourcetype=ManagedInstanceInventory/i-..json)
Athena and QuickSight are working in the account where bucket and key are located, but I am want to keep bucket in different account.
I am trying to implement Best practices for patching your AWS and hybrid environment, but with different account and with KMS key.
I have followed all the document about Athena cross-account access with KMS but no luck. Also added decrypt IAM policy to QuickSight Service role.
My IAM role has full admin access. It uses assume role.
Can someone guide me on this issue? Thank you.
If you're i
If you create a resource data sync for an AWS Region that came online since the Asia Pacific (Hong Kong) Region (ap-east-1) or later, then you must enter a region-specific service principal entry in the SSMBucketDelivery section. The following example includes a region-specific service principal entry for ssm.ap-east-1.amazonaws.com
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
I am trying to access a private S3 bucket that I've created in the console with boto3. However, when I try any action e.g. to list the bucket contents, I get
boto3.setup_default_session()
s3Client = boto3.client('s3')
blist = s3Client.list_objects(Bucket=f'{bucketName}')['Contents']
ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
I am using my default profile (no need for IAM roles). The Access Control List on the browser states that the bucket owner has list/read/write permissions. The canonical id listed as the bucket owner is the same as the canonical id I get when I go to 'Your Security Credentials'.
In short, it feels like the account permissions are ok, but boto is not logging in with the right profile. In addition, running similar commands from the command line e.g.
aws s3api list-buckets
also gives Access Denied. I have no problem running these commands at work, where I have a work log-in and IAM roles. It's just running them on my personal 'default' profile.
Any suggestions?
It appears that your credentials have not been stored in a configuration file.
You can run this AWS CLI command:
aws configure
It will then prompt you for Access Key and Secret Key, then will store them in the ~.aws/credentials file. That file is automatically used by the AWS CLI and boto3.
It is a good idea to confirm that it works via the AWS CLI first, then you will know that it should work for boto3 also.
I would highly recommend that you create IAM credentials and use them instead of root credentials. It is quite dangerous if the root credentials are compromised. A good practice is to create an IAM User for specific applications, then limit the permissions granted to that application. This avoids situations where a programming error (or a security compromise) could lead to unwanted behaviour (eg resources being used or data being deleted).
using the AWS CLI I'm trying to run
aws cloudformation create-stack --stack-name FullstackLambda --template-url https://s3-us-west-2.amazonaws.com/awsappsync/resources/lambda/LambdaCFTemplate.yam --capabilities CAPABILITY_NAMED_IAM --region us-west-2
but I get the error
An error occurred (ValidationError) when calling the CreateStack operation: S3 error: Access Denied
I have already set my credential with
aws configure
PS I got the create-stack command from the AppSync docs (https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html)
Looks like you accidentally skipped l letter at the end of template file name:
LambdaCFTemplate.yam -> LambdaCFTemplate.yaml
First make sure the S3 URL is correct. But since this is a 403, I doubt it's the case.
Yours could result from a few different scenarios.
1.If both APIs and IAM user are MFA protected, you have to generate temporary credentials using aws sts get-session-token and use it
2.Use a role to provide cloudformation read access to the template object in S3. First create a IAM role with read access to S3. Then create a parameter like below and ref it in resource properties IamInstanceProfile block
"InstanceProfile":{
"Description":"Instance Profile Name",
"Type":"String",
"Default":"iam-test-role"
}
I am using Amazon cloudformation template https://s3.amazonaws.com/cloudformation-templates-us-east-1/PHPHelloWorld.template to setup my application. I need to create a S3 bucket and a IAM user with full access to S3. My PHP application would need the credentials of the user created to upload files to s3.
How do I create a s3 bucket, IAM user with full access to S3 and how do I pass the users credentials to my application ?
Also I have to install the Amazon PHP SDK and some softwares, what are the entries I need to add to the UserData section of PHPHelloWorld.template
Thank you
The example template list contains a template for giving an IAM user full access.
Somewhat counter-intuitively you don't set any properties on the S3 bucket, it's either on an S3 bucket policy, or the IAM user.