AWS S3 event notification on object permission change - amazon-s3

Can you some one guide me how to setup an event notification for object level permission change.Currently notification available for read,write,delete etc..
But I am looking to setup a email trigger if some one changed access permission in an s3 object inside a bucket.

There are two ways to deal with this kind of concern:
Proactive: write IAM policies that prevent users from putting object
with public access
Reactive: use CloudWatch Events to detect issues and respond to them (see blog post)

Related

I need to create a new IAM user programatically which limits access to an s3 object to only them

Using nodejs i need to have a function which when called creates a new IAM user and and gives them access to the specific s3 object that has been created for them, no one else other than them should have access to the object. I have cognito users and need to give them their own IAM user which can then only access their s3 object.
At the moment I keep receiving the error of invalidclienttokenid, but im unsure as to what this token is and how i can set it programatically. Is this the cognito tokenid returned from logging in? if so how does this relate to trying to create new s3 object and IAM user. Any help at all would be greatly appreciated!!

How to convert the AWS S3 principalId to user name

"userIdentity":{
"principalId":"Amazon-customer-ID-of-the-user-who-caused-the-event"
},
How I can convert the principal id, which is available with S3 Event Notification, into the user Name which is responsible for the action?
I couldn't find how to do this either. I ended up sending the sub from user attributes as part of the object key. Then you have access to the sub in the event notification.
It's mind-boggling why the IAM console UI does not show this nor allow for searching.
Have to use the AWS CLI to pull out these info.
aws iam list-users

How to implement access control for individual object in S3 bucket?

I have an S3 bucket which is by default private.
Now I want to implement access control on the objects of this bucket.
For example, if bucket has three objects A, B, C then object A, B could be public and object C could be private.
It should be possible to make the public object private and vice-versa from the application. The private objects will be accessible by selected application users only and public objects will be accessible by everyone.
Is there any way to implement it?
So far I have looked into object tagging. But I am not entirely sure if it applies in my situation.
You are correct that objects in Amazon S3 are private by default.
You can then grant access via several methods:
Set the Access Control List (ACL) on an individual object to make it Public (or set it back to being Private)
Create a Bucket Policy to grant access to a whole bucket, or a path within a bucket
Add a policy to an IAM User to allow that user access to all/part of an Amazon S3 bucket
Create Pre-signed URLs to grant time-limited access to a private object
So, you can certainly make specific objects Public and then change them to Private by using ACLs.
To make particular objects accessible to particular users, you should use Pre-Signed URLs. They work as follows:
Users authenticate to your application
When a user wishes to access a private object, the application is responsible for determining whether they are permitted to access it
If so, then the application generates a pre-signed URL. It only takes a few lines of code and does not require an API call to S3.
The application then provides the pre-signed URL just like any other link, such as putting it in an <a> tag, or in an <img> tag. The object will be accessible for a limited time duration just like any other resource on the Internet.
Once the duration has expired, the URL will no longer work (Access Denied)
This way, your application is totally in control of who can access which objects and authorized users can access the objects directly from Amazon S3. Also, the application users do not require AWS-specific logins; they would authenticate to your application.
See: Share an Object with Others - Amazon Simple Storage Service

Amazon S3 - does root user have access to buckets?

I am testing S3 calls using DHC REST client in Chrome. In these tests, the Authorization is all based on my root user credentials.
I can do a GET with //mybucket.s3.amazonws.com, and a list of the items in mybucket is returned.
If I add an item to retrieve (//mybucket.s3.amazonws.com/myitem), I always get 403 Forbidden.
I thought that the root user had automatic access to the objects, but am I wrong about that?
I took screen prints of both tests, which I'll supply if needed.
After some further monkeying around, I found my answer. Yes, the AWS root user can access individual items. But the Authorization header string changes. When you retrieve an object, that object's key participates in the calculation of the auth string. Thus, the same string used to retrieve the bucket list does not work when retrieving an object.

Using generic open graph objects and actions, and the publish_actions permission?

I'm trying to use the beta open graph API to publish about a user playing songs in my app. Besides the "normal" Open Graph docs, I found these:
https://developers.facebook.com/docs/opengraph/music/
Unfortunately I am not able to add generic actions like 'music.listens' or generic objects like 'music.song' to my app in the dev app. In order to get the publish_actions permission, however, I seem to be obliged to add at least an action, an object and a preview aggregation. If I don't, the auth dialog won't ask for the publish_actions permission.
When I do all this, I am able to get the publish_actions permission, but still I cannot publish a user listening to a song.
I get a 500 error 'OAuth "Facebook Platform" "unknown_error" "An unknown error has occurred."' when I try to publish by POSTing a request to this url:
https://graph.facebook.com/me/music.listens?song=http://open.spotify.com/track/34uKquOrQLgzBsUbFTkMTc&access_token=[...]
Is the publish_action permission bound to actions and objects that I have created within the namespace of my app? If so, how should I go about when I want to perform generic actions on generic objects? Or could this just be that I cannot use the spotify song for testing?
Hope someone can help.
Erwin
The built in music actions and objects are currently only available to the music launch partners.
In the meantime, please create your own custom song objects and listen actions.
publish_actions is the permissions used for all publishing of actions, custom and built-in.