ECS Task Access Denied to S3 - amazon-s3

I have an IAM role set for my task with the following permissions, yet I get access denied trying to access the buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket/Templates/*",
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::anotherBucket/*"
]
}
]
}
The container instance has a role with the standard AmazonEC2ContainerServiceforEC2Role policy.
I seem to be able to read and write to folders under from bucket/ like bucket/00001, BUT I can't read from bucket/Templates.
Ive redeployed the permissions and the tasks repeatedly (using terraform) but nothing changes. Ive added logging to the app to ensure it's using the correct bucket and path / keys.
I'm stumped. Anyone got a clue what I might have missed here?
Thanks
PS: It just occurred to me, the files in the buckets I cant access I copy there using a script. This is done using credentials other than the creds the task is using.
aws s3 cp ..\Api\somefiles\000000000001\ s3://bucket/000000000001 --recursive --profile p
aws s3 cp ..\Api\somefiles\Templates\000000000001\ s3://bucket/Templates/000000000001 --recursive --profile p
I was using -acl bucket-owner-full-control on the cp command but I removed that to see if would help - it didnt. Maybe I need something else?

It works now because you changed the Resource to match "".
Try adding the bucket itself as a resource, along with / pattern:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "sid2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::anotherBucket"
"arn:aws:s3:::anotherBucket/*",
]
}
]

Solved. Found an old sample from a previous employer :) I needed a permission for List* explicitly, separate from the other permissions. I also needed to define the sids.
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "sid2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}

Related

Amazon S3 Can't Delete Object via API

I'm setting up a new policy so my website can store images on S3, and I'm trying to keep it as secure as possible.
I can put an object and read it, but can not delete it, even though it appears I've followed the recommendations from Amazon. I am not using versioning.
What am I doing wrong?
Here's my policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject",
"s3:ListObjects"
],
"Resource": "*"
}
]
}
After screwing around with multiple permission actions it turns out I needed to add s3:ListBucket and s3:ListObjects. Once added I can now delete objects.

Amazon s3 user policies

I'm trying to define a policy for a specific user.
I have several buckets in my S3 but I want to give the user access to some of them.
I created the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:PutObject"],
"Resource":["arn:aws:s3:::examplebucket"]
}
when I try to add a list of resources like this:
"Resource":["arn:aws:s3:::examplebucket1","arn:aws:s3:::examplebucket2"]
I get access denied
The only option that works for me (I get buckets lists) is:
"Resource": ["arn:aws:s3:::*"]
whats the problem?
Some Amazon S3 API calls operate at the Bucket-level, while some operate at the Object-level. Therefore, you will need a policy like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
See: AWS Security Blog - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I found that its an AWS limitation.
There is no option get filtered list of buckets.
Once you give permissions to ListAllMyBuckets like this:
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
you get the list of all bucket (including buckets that you don't have permissions to it).
More info could be found here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
Few workarounds could be found here: Is there an S3 policy for limiting access to only see/access one bucket?

Google Cloud Storage transfer from Amazon S3 - Invalid access key

I'm trying to create a transfer from my S3 bucket to Google Cloud - it's basically the same problem as in this question, but none of the answers work for me. Whenever I try to make a transfer, I get the following error:
Invalid access key. Make sure the access key for your S3 bucket is correct, or set the bucket permissions to Grant Everyone.
I've tried the following policies, to no success:
First policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
}
Second policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Third policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket-name",
"arn:aws:s3:::my-bucket-name/*"
]
}
]
}
I've also made sure to grant the 'List' permission to 'Everyone'. Tried this on buckets in two different locations - Sao Paulo and Oregon. I'm starting to run out of ideas, hope you can help.
I know this question is over a year old but I just encountered the same error when trying to do the transfer via the console. I worked around this by executing IT via the gsutils command line tool instead.
After installing and configuring the tool, simply run:
gsutils cp s3://sourcebucket gs://targetbucket
Hope this is helpful!

IAM configuration to access jgit on S3

I am trying to create IAM permissions so jgit can access a directory in one of my buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<mybucket>/<mydir>/*"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::<mybucket>/<mydir>"]
}
]
}
Unfortunately it throws an error. I am not sure what other allow actions need to happen for this to work. (A little new at IAM).
Caused by: java.io.IOException: Reading of '<mydir>/packed-refs' failed: 403 Forbidden
at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:519)
at org.eclipse.jgit.transport.AmazonS3.get(AmazonS3.java:289)
at org.eclipse.jgit.transport.TransportAmazonS3$DatabaseS3.open(TransportAmazonS3.java:284)
at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.openReader(WalkRemoteObjectDatabase.java:365)
at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.readPackedRefs(WalkRemoteObjectDatabase.java:423)
... 13 more
Caused by: java.io.IOException:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:538)
... 17 more
The 403 Forbidden is obviously the error but not sure what needs to be added to the IAM. Any ideas?
[Should have added, too, that I tried this out in the policy simulator and it appeared to work there.]
The "403" error may simply mean that the key <mydir>/packed-refs doesn't exist. According to https://forums.aws.amazon.com/thread.jspa?threadID=56531:
Amazon S3 will return an AccessDenied error when a nonexistent key is requested and the requester is not allowed to list the contents of the bucket.
If you're pushing for the first time, that folder might not exist, and I'm guessing you would need ListBucket privileges on the parent directory to get the proper NoSuchKey response. Try changing that first statement to:
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<mybucket>/*"]
}
I also noticed that jgit push s3 refs/heads/master worked when jgit push s3 master did not.
To future folk: if all you want to do is to set up a git repos bucket with its own user, the following security policy seems to be good enough:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucketname>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*"
]
}
]
}

Amazon S3 Bucket and Folder Policy for IAM access?

Do you have a problem understanding S3 IAM Policies and Directives ? Can't quite wrap your head around their documentation ? I did.
I had a situation where I had to lock out several IAM users from a particular folder, and several buckets, except one, and most of their solutions and example solutions were about as clear as mud as far as I was concerned. After scouring the web and not finding what I was looking for I came upon a resource
(http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) that was clear and actually helpful, but it did need some modification, and result is the policy you see below....
What it does is allows the user access to a particular folder within a bucket, but DENIES access to any other listed folder in the same bucket. Mind you, you will not be able to block them from viewing the contents of the folder, nor will you block them from seeing that there are other buckets, that can't be helped. However, they won't have access to the bucket/folder of your choice.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
},
{
"Action": [
"s3:*"
],
"Sid": "Stmt1375581921000",
"Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
],
"Effect": "Deny"
}
]
}