We Keep Coding

IAM Policy is not giving access to the accesspoint

With this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
I am allowed to access a specific s3 accesspoint. However, when I try using a more specific access which only gives s3:* actions to a specific accesspoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:eu-west-1:598276570227:accesspoint/accesspointname"
}
]
}
This does not work, and the EC2 with this role stops being able to access the s3 access point (just copying a file using the AWS CLI)
First why is this happening? The role still should have access to all the actions on that accesspoint by my reckoning (which must be wrong in some way!).
Secondly, I am trying to make it such that an s3 bucket is only accessible from a certain IAM role. I tried setting this from the access policy from the access point itself. This had the opposite problem that it was too permissive and everything could still access it. What is the correct way of doing this - putting an IAM policy on the accesspoint to restrict access to the IAM role or making an IAM Role which has access to this s3 access point?

I got this working by using this:]
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringLike": {
"s3:DataAccessPointArn": "arn:aws:s3:eu-west-1:598276570227:accesspoint/accesspointname"
}
}
}
]
}

AWS S3 bucket policy to block source IP address not working

I know this question has been asked a few times and I have gone through a some documents and examples on this. But I am still not able to get it working.
I want to block access to my S3 bucket from one particular IP address and allow all others. I do not want to block instances belonging to an IAM role and hence I am using NotIpAddress Condition for this. Below is the policy I applied on my bucket:
{
"Version": "2012-10-17",
"Id": "Policy1486984747194",
"Statement": [
{
"Sid": "AllowAllExceptOneIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-test-bucket",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "52.38.90.46"
}
}
}
]
}
But this policy isn't working. I am able to upload files to my bucket from this machine, I am using s3-curl.pl to temporarily upload my files.
Can someone please help me find what is wrong here. Thanks.

To block all actions to an S3 bucket from a particular IP, policy needs to have separate deny effect statement for that IP, sample:
{
"Version": "2012-10-17",
"Id": "Policy1487062767078",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
]
},
{
"Sid": "DenyIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "52.38.90.46"
}
}
}
]
}
Action and Resource can be changed based on what one needs to block.
Thanks a lot #SergeyKovalev for helping me with this solution.

Amazon S3 : How to allow access to a specific path, only for a specific referer?

I have a Amazon S3 bucket mybucket and only want to enable access to content in a specific nested folder (or in S3 terms, with a specific "prefix").
I tried the following S3 bucket policy but it doesn't work. After adding the condition I started getting access denied errors in the browser.
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content only from my.domain.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
What should the policy look like to achieve this?

You need to split the policy in to two statements. One to allow access to the folder (prefix), and one to deny access when the referer is not one of the white listed domains:
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*"
},
{
"Sid": "Deny access to public content when not on my.domain.com",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}

Using two policies together in a single S3 bucket

I am new to Amazon S3 and just created my first bucket. I need two important policies to be implemented on the bucket which are as follows:
First, policy for allowing only downloads from my own website (via HTTP referrer)
Secondly, I want to make all objects in the bucket public.
I have got two different codes of policies for my needs, but now I can't put them together to achieve the said goals. Please help me joining these too policies together so I achieve what I want.
For allowing referrer downloads:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"URL/*",
]
}
}
}
]
}
For making objects public:
{
"Sid": "...",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [ "*" ]
}
}

How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket

I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}

s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}

Just to compliment #c4urself answer. the answer help solve my issue as well, but there is some indication from AWS documentation, which you can add more than one resource, just use [] to make them a list.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}

Update Bucket policy as below
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}

Just make the resource and array/list of resources and add an item to the list with /* as s3:GetObject applies to arn:aws:s3:::my_secure_bucket/*. See below
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"