Here is the policy I wrote in Amazon S3. I thought it should give access to subfolders because of the * but it is giving access denied errors when the user tries to create or view subfolders. How can I change this to work?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndMediaListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mycoolbucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"media/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInMediaFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mycoolbucket/media/*"
]
}
]
}
More details:
I logged into the console as the user. I went to the media folder. I then click on a folder inside of media and got the message "Error access denied".
You are missing permissions to list the contents of the media folder. Add the following statement to your policy.
Note: Your policy should be added to the user(s) and not to the bucket itself. A better choice is to create an IAM group, attach the policy to the group and then add each user to the group (which you mentioned that you are doing).
{
"Sid": "AllowListingOfMediaFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mycoolbucket"],
"Condition":{"StringLike":{"s3:prefix":["media/*"]}}
},
With this policy, I'm able to grant access to all subfolders of a folder in Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<<bucketname>>",
"Condition": {
"StringLike": {
"s3:prefix": "foldername/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject*",
"s3:ListBucket",
"s3:DeleteObject*"
],
"Resource": "arn:aws:s3:::<<bucketname>>/foldername/*"
}
]
}
Related
I'd like to create an AWS policy to grant access to all buckets except one, but I do NOT want to use a deny. Reason being I want to also write policies to grant access to specific objects within the bucket and a deny blocks that.
I've tried this but it does not work (it's an improper use of aws:SourceArn), but it gives you an idea of what I'd like to achieve.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:SourceArn": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
}
}
]
}
Have you considered to be like?:
"Condition": {
"StringNotLike": {
"s3:prefix": [
"somename/",
"someothername/"
]
}
}
This is the solution for me to block any access to buckets prefixed with specific-bucketname-123
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "arn:aws:s3:::specific-bucketname-123*"
}
]
}
I'm using the Camel S3 component to read objects uploaded to a particular S3 bucket. The objects are read successfully.
However, using "deleteAfterRead=true" fails with a 403 (no permission)
I have granted all the permissions in the "write" category, on the bucket, but I still get the error.
Right now these are the permissions. Any idea what I'm doing wrong?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-camel-bucket"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*/*"
}
]
}
I found the answer: for the s3:DeleteObject Action, I needed to specify the resource with a * at the end. So, arn:aws:s3:::my-camel-bucket/* instead of simply arn:aws:s3:::my-camel-bucket
However, for the ListBucket, I needed just the bucket name. So, what I have working now is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-camel-bucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my-camel-bucket/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*/*"
}
]
}
What permission do I need to change to allow listing all s3 buckets?
I can run: aws s3 ls s3://bucketname;
but I cannot run: aws s3 ls;
The bucket policy is this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Sid",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::6666666:user/myuser"
]
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucketname"
}
]
}
Credit due from this post: https://stackoverflow.com/a/35746318/1242581
I needed the ListAllMyBuckets action on my user or user's group:
{
"Sid": "AllowListingOfAllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
I want to allow users full access to subfolders, but not allow them to delete the subfolder. I have written this policy, but it doesn't work. It still lets the user delete the "inbound" and "outbound" folders.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListForAllowedBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucketxxxx"
},
{
"Sid": "AllowUserToListAllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "AllUserFullAccessWithinStandardFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound/*",
"arn:aws:s3:::mybucketxxxx/marketing/outbound/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound",
"arn:aws:s3:::mybucketxxxx/marketing/outbound"
]
}
]}
Is it possible to do what I want ?
Just change the last part of your policy to:
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound/",
"arn:aws:s3:::mybucketxxxx/marketing/outbound/"
]
}
This is because an earlier policy grants /* which includes /, but this policy specifically denies /.
Create a separate IAM role, for that Role give s3 all permissions except delete.
Thanks for posting this. I was looking for a similar solution. Just for the reference of other guys like me. This policy helped me restrict a particular user from deleting objects inside a folder as well as the folder itself.
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/XXXXXX"
},
"Action": "s3:DeleteObject",
"Resource": [
"arn:aws:s3:::XXXXXXX/folder*"
]
Given these bucket keys:
my-permtest/
my-permtest/rootfile.txt
my-permtest/Finance
my-permtest/Finance/financefile.txt
my-permtest/Collections
my-permtest/Collections/collectionfile.txt
my-permtest/Shared
my-permtest/Shared/sharedfile.txt
and this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowedListAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-permtest",
"arn:aws:s3:::my-permtest/Collections",
"arn:aws:s3:::my-permtest/Shared"
]
},
{
"Sid": "AllowAllObjectActionsNotExplicitlyDenied",
"Effect": "Allow",
"Action": [
"s3:*Object*"
],
"Resource": [
"arn:aws:s3:::my-permtest/*"
]
},
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance"
]
}
]
}
Why am I able to perform gets and puts on s3://my-permtest/Finance/financefile.txt ?
I expect that the "Sid": "DenyAllFinanceAccess" block should forbid this access.
This one turned out to be simple.
I needed to also deny all actions to all objects below the finance key
specifically, the
"Sid": "DenyAllFinanceAccess",
block needed to be modified to read:
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance",
"arn:aws:s3:::my-permtest/Finance/*"
]
}