I'm trying to policy json into my S3 bucket which will make my bucket accessible using Cognito credentials. Following is the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketName12345",
"Condition": {
"StringLike": {
"s3:prefix": "cognito/angularApplicationName/"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucketName12345/cognito/angularApplicationName/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::bucketName12345/cognito/angularApplicationName/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
but I get a warning saying "your bucket is public....". Since I'm very new to AWS, can somebody point out what am I missing here?
Related
I'd like to create an AWS policy to grant access to all buckets except one, but I do NOT want to use a deny. Reason being I want to also write policies to grant access to specific objects within the bucket and a deny blocks that.
I've tried this but it does not work (it's an improper use of aws:SourceArn), but it gives you an idea of what I'd like to achieve.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:SourceArn": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
}
}
]
}
Have you considered to be like?:
"Condition": {
"StringNotLike": {
"s3:prefix": [
"somename/",
"someothername/"
]
}
}
This is the solution for me to block any access to buckets prefixed with specific-bucketname-123
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "arn:aws:s3:::specific-bucketname-123*"
}
]
}
I am using plesk to back up to S3
I've configured the back up and it works on some sites but on others fails for no apparent reason. The user permission scripts seem to be the same apart from the storage locations so this one works:
{
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::thechurch.org.uk",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::thechurch.org.uk/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
but this one doesn't:
{
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::thechurchtwo.com",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::thechurchtwo.com/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
plesk throws
Error: Error executing "CreateBucket" on "https://s3.eu-west-2.amazonaws.com/churchtwo"; AWS HTTP error: Client error: PUT https://s3.eu-west-2.amazonaws.com/churchtwo resulted in a 403 Forbidden response:
AccessDeniedAccess DeniedXXXXXX (truncated...)
AccessDenied (client): Access Denied -
AccessDeniedAccess DeniedXXXXXXXXXXXXXX
I have made it work a few time but it seems to be luck. Is there something about S3 that blocks a connection on a timeout or is my config wrong.
Any thoughts help would be great!
I'm trying to download an SSE-KMS encrypted object from my S3 bucket secret-bucket, where my AWS account id is XXXXXXXX with command
aws s3 cp s3://secret-bucket/file.json ./file.json
IAM user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
}
]
}
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
S3 bucket policy
{
"Version": "2012-10-17",
"Id": "access",
"Statement": [
{
"Sid": "get-access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXX:root"
]
},
"Action": [
"s3:GetObject*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::secret-bucket/*",
"arn:aws:s3:::secret-bucket"
]
}
]
}
KMS key policy
{
"Version": "2012-10-17",
"Id": "bucket-key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXX:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Apparently I'm missing some permissions somewhere, but can't seem to figure out which one. Any ideas?
I am trying to setup AWS S3 policy for a specific user.It works find when i attach a policy to a user but my bucket policy access denied. Started with specific actions but in the following it is wide open. Here is my policy.Appreciate, if you can point out on what am i missing here.
{
"Id": "Policy1540550791287",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1540550707671",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::testabc1234abc",
"Principal": {
"AWS": [
"arn:aws:iam::<accountid>:user/test1"
]
}
},
{
"Sid": "Stmt1540550788846",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::testabc1234abc/*",
"Principal": {
"AWS": [
"arn:aws:iam::<accountid>:user/test1"
]
}
}
]
}
Here is the policy I wrote in Amazon S3. I thought it should give access to subfolders because of the * but it is giving access denied errors when the user tries to create or view subfolders. How can I change this to work?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndMediaListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mycoolbucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"media/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInMediaFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mycoolbucket/media/*"
]
}
]
}
More details:
I logged into the console as the user. I went to the media folder. I then click on a folder inside of media and got the message "Error access denied".
You are missing permissions to list the contents of the media folder. Add the following statement to your policy.
Note: Your policy should be added to the user(s) and not to the bucket itself. A better choice is to create an IAM group, attach the policy to the group and then add each user to the group (which you mentioned that you are doing).
{
"Sid": "AllowListingOfMediaFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mycoolbucket"],
"Condition":{"StringLike":{"s3:prefix":["media/*"]}}
},
With this policy, I'm able to grant access to all subfolders of a folder in Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<<bucketname>>",
"Condition": {
"StringLike": {
"s3:prefix": "foldername/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject*",
"s3:ListBucket",
"s3:DeleteObject*"
],
"Resource": "arn:aws:s3:::<<bucketname>>/foldername/*"
}
]
}