Do you have a problem understanding S3 IAM Policies and Directives ? Can't quite wrap your head around their documentation ? I did.
I had a situation where I had to lock out several IAM users from a particular folder, and several buckets, except one, and most of their solutions and example solutions were about as clear as mud as far as I was concerned. After scouring the web and not finding what I was looking for I came upon a resource
(http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) that was clear and actually helpful, but it did need some modification, and result is the policy you see below....
What it does is allows the user access to a particular folder within a bucket, but DENIES access to any other listed folder in the same bucket. Mind you, you will not be able to block them from viewing the contents of the folder, nor will you block them from seeing that there are other buckets, that can't be helped. However, they won't have access to the bucket/folder of your choice.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
},
{
"Action": [
"s3:*"
],
"Sid": "Stmt1375581921000",
"Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
],
"Effect": "Deny"
}
]
}
Related
I have an IAM role set for my task with the following permissions, yet I get access denied trying to access the buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket/Templates/*",
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::anotherBucket/*"
]
}
]
}
The container instance has a role with the standard AmazonEC2ContainerServiceforEC2Role policy.
I seem to be able to read and write to folders under from bucket/ like bucket/00001, BUT I can't read from bucket/Templates.
Ive redeployed the permissions and the tasks repeatedly (using terraform) but nothing changes. Ive added logging to the app to ensure it's using the correct bucket and path / keys.
I'm stumped. Anyone got a clue what I might have missed here?
Thanks
PS: It just occurred to me, the files in the buckets I cant access I copy there using a script. This is done using credentials other than the creds the task is using.
aws s3 cp ..\Api\somefiles\000000000001\ s3://bucket/000000000001 --recursive --profile p
aws s3 cp ..\Api\somefiles\Templates\000000000001\ s3://bucket/Templates/000000000001 --recursive --profile p
I was using -acl bucket-owner-full-control on the cp command but I removed that to see if would help - it didnt. Maybe I need something else?
It works now because you changed the Resource to match "".
Try adding the bucket itself as a resource, along with / pattern:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "sid2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::anotherBucket"
"arn:aws:s3:::anotherBucket/*",
]
}
]
Solved. Found an old sample from a previous employer :) I needed a permission for List* explicitly, separate from the other permissions. I also needed to define the sids.
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sid1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "sid2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
I'm setting up a new policy so my website can store images on S3, and I'm trying to keep it as secure as possible.
I can put an object and read it, but can not delete it, even though it appears I've followed the recommendations from Amazon. I am not using versioning.
What am I doing wrong?
Here's my policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject",
"s3:ListObjects"
],
"Resource": "*"
}
]
}
After screwing around with multiple permission actions it turns out I needed to add s3:ListBucket and s3:ListObjects. Once added I can now delete objects.
I'm trying to define a policy for a specific user.
I have several buckets in my S3 but I want to give the user access to some of them.
I created the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:PutObject"],
"Resource":["arn:aws:s3:::examplebucket"]
}
when I try to add a list of resources like this:
"Resource":["arn:aws:s3:::examplebucket1","arn:aws:s3:::examplebucket2"]
I get access denied
The only option that works for me (I get buckets lists) is:
"Resource": ["arn:aws:s3:::*"]
whats the problem?
Some Amazon S3 API calls operate at the Bucket-level, while some operate at the Object-level. Therefore, you will need a policy like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
See: AWS Security Blog - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I found that its an AWS limitation.
There is no option get filtered list of buckets.
Once you give permissions to ListAllMyBuckets like this:
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
}
you get the list of all bucket (including buckets that you don't have permissions to it).
More info could be found here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
Few workarounds could be found here: Is there an S3 policy for limiting access to only see/access one bucket?
All of my files are stored in one single bucket. I want to define a policy that is used in a temporary credential to give user permission to put one file with a key that I provide. Here is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::{bucketname}/AKey"
]
}
]
}
Delete and get work and they are limited to "AKey". However the user can put objects with whatever keys they want to.
I have a bucket on which we have removed the DeleteObject privilege so that the Authenticated users don't delete the data.
The policy looks like this:
{
"Version": "2008-10-17",
"Id": "test-s3-privileges",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt2",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::test/*"
}
]
}
Now, I am testing HUNK (http://www.splunk.com/view/hunk/SP-CAAAH2E). This product wants to create a subdirectory called splunk under the "test" bucket and wants access to delete the objects it creates under the test/splunk/ directory.
So, I added the below statement to the policy:
{
"Sid": "Stmt3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:user/abc"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::test/splunk/*"
}
But I am still not able to delete data under test/splunk directory. Can someone help me figure out what I am doing wrong? Or is there a better way to take care of this?
Note:- I want to delete data only from test/splunk/�* and not from any other directories under test/*
Explicit deny overrides any explicit Allows, as the default operation is Deny.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
It is always better to explicitly allow just what you need instead of allowing "*" and denying specific actions. With explicit Allow actions you very rarely need to use explicit Deny statements.