I'm trying to upload to an s3 bucket which works fine if I set Block all public access: Off. However, with it on and the following bucket policy I get an access denied message
{
"Version": "2012-10-17",
"Id": "Policy1594969692377",
"Statement": [
{
"Sid": "Stmt1594969687722",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::066788420637:user/transloadit2"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
I thought that enabling/disabling public access just allowed rules to be created to then make the bucket public? I don't understand why it is blocking my upload when it is disabled.
Many thanks,
Matt
It appears that you wish to grant permission for a specific IAM User to upload to an Amazon S3 bucket.
For this, instead of creating a bucket policy you should add a policy to the IAM User themselves, such as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Note: This policy is granting too many permissions, including permission to delete the bucket and all its contents. I recommend that you limit it to the specific API calls desired (eg PutObject, GetObject).
Basically:
If you wish to grant access to one user, put the policy on the IAM User
If you wish to grant access to 'everybody', use a bucket policy
Permissions granted to the IAM User are not impacted by S3 Block Public Access.
You use the bucket itself as a resource. If you want to do operations over objects (put, get etc.), you need to put objects path to the resource. So, in your case, you should update your policy like this:
{
"Version": "2012-10-17",
"Id": "Policy1594969692377",
"Statement": [
{
"Sid": "Stmt1594969687722",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::066788420637:user/transloadit2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
Related
I have a question about s3 bucket access, it's so complecated for me.
my configuration for s3 bucket is "public access is denied"
when I don't specify any policy in s3 bucket policy and give a user predefined S3 readonly permission, I can bring list of buckets and list of object in buckets.
But when I only make bucket policy for the user who has no iam policy attached to list buckets and object. the user are not able to list buckets and objects.
If it is true, why bucket policy is necessary to use?
bucket policy I made is like this.
{
"Version": "2012-10-17",
"Id": "Policy1672363253371",
"Statement": [
{
"Sid": "Stmt16",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2040:user/viewer"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test-bucket"
}
{
"Sid": "Stmt17",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2040:user/viewer"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
I have a one bucket called world and under that bucket there is one folder world1. I granted a list object access to everyone from ACL and also set a below bucket policy but still I am unable to access the stored object in world1 folder. getting access denied error.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::world/*"
]
}
]
}
If you wish to make the world1 folder publicly accessible in the world bucket, use this Bucket Policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::world/world1/*"]
}
]
}
There is no need to change any ACLs.
This will grant permission to access/download/open any file in that directory. It will not grant permission to list the contents of the bucket.
Am trying to the test the s3 cross Account permission with instructions provided int the S3 Document. In the documentation example Account A creates bucket policy with read access to Account B root. Account B created a user Dave and provided him Read Access on Account A bucket.
I have tried the above example and it perfectly worked fine for me. But when i try to use the same example for write access it doesnt work for me. For example in account A i created below bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
In Account B i created user Dave with below permission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3: PutObject"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
But when i try to put object using User Dave credentials of Account B i get access denied.
Is this expected behaviour or am i missing some thing.
In your user policy s3: PutObject shouldn't have a space in it.
In my S3 logs I see multiple requests from NSPlayer and all the requests are like below:
[29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67
REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3
"GET /bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200
- 4122705 5639543 6305 58
"http://m.xxxxxxw.com /" "NSPlayer/12.00.9651.0000
WMFSDK/12.00.9651.0000" -
I want to deny access to this useragent and I have written the bucket policy as well as the user policy to deny the access. However, still the access is not getting denied. Could you please help me to figure out why its happening?
Here is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtxxxxxxxxx0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx3:user/bucket"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotLike": {
"aws:UserAgent": "NSPlayer"
}
}
}
]
}
Please let me know how to fix this!
This is the reply I got from Amazon:
You almost have the correct policy on the bucket to block access from that user agent. The tricky part is that you're allowing access to the individual objects via public-read ACLs, so you can't use an restrictive "Allow" statement on the bucket. You'll need to explicitly deny that user agent from performing GET requests.
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:UserAgent": "*NSPlayer*"
}
}
}
]
}
The above policy will block any access to the bucket from anywhere, if NSPlayer is in the UserAgent string.
Also as FYI, Bucket Policy takes precedence over the User policy.
I have a user in my IAM account called "testuser" who has administrator privileges, like so:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
And then I have a policy on my S3 bucket that denies this user access, like so:
{
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "my-account-id:user/testuser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?
Try using the full ARN form for the user ID in the bucket policy:
"Principal": {
"AWS":["arn:aws:iam::accountid:user/testuser"]
}