I have a user in my IAM account called "testuser" who has administrator privileges, like so:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
And then I have a policy on my S3 bucket that denies this user access, like so:
{
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "my-account-id:user/testuser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?
Try using the full ARN form for the user ID in the bucket policy:
"Principal": {
"AWS":["arn:aws:iam::accountid:user/testuser"]
}
Related
I have a question about s3 bucket access, it's so complecated for me.
my configuration for s3 bucket is "public access is denied"
when I don't specify any policy in s3 bucket policy and give a user predefined S3 readonly permission, I can bring list of buckets and list of object in buckets.
But when I only make bucket policy for the user who has no iam policy attached to list buckets and object. the user are not able to list buckets and objects.
If it is true, why bucket policy is necessary to use?
bucket policy I made is like this.
{
"Version": "2012-10-17",
"Id": "Policy1672363253371",
"Statement": [
{
"Sid": "Stmt16",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2040:user/viewer"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test-bucket"
}
{
"Sid": "Stmt17",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2040:user/viewer"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
I'm trying to upload to an s3 bucket which works fine if I set Block all public access: Off. However, with it on and the following bucket policy I get an access denied message
{
"Version": "2012-10-17",
"Id": "Policy1594969692377",
"Statement": [
{
"Sid": "Stmt1594969687722",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::066788420637:user/transloadit2"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
I thought that enabling/disabling public access just allowed rules to be created to then make the bucket public? I don't understand why it is blocking my upload when it is disabled.
Many thanks,
Matt
It appears that you wish to grant permission for a specific IAM User to upload to an Amazon S3 bucket.
For this, instead of creating a bucket policy you should add a policy to the IAM User themselves, such as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Note: This policy is granting too many permissions, including permission to delete the bucket and all its contents. I recommend that you limit it to the specific API calls desired (eg PutObject, GetObject).
Basically:
If you wish to grant access to one user, put the policy on the IAM User
If you wish to grant access to 'everybody', use a bucket policy
Permissions granted to the IAM User are not impacted by S3 Block Public Access.
You use the bucket itself as a resource. If you want to do operations over objects (put, get etc.), you need to put objects path to the resource. So, in your case, you should update your policy like this:
{
"Version": "2012-10-17",
"Id": "Policy1594969692377",
"Statement": [
{
"Sid": "Stmt1594969687722",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::066788420637:user/transloadit2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
I have a one bucket called world and under that bucket there is one folder world1. I granted a list object access to everyone from ACL and also set a below bucket policy but still I am unable to access the stored object in world1 folder. getting access denied error.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::world/*"
]
}
]
}
If you wish to make the world1 folder publicly accessible in the world bucket, use this Bucket Policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::world/world1/*"]
}
]
}
There is no need to change any ACLs.
This will grant permission to access/download/open any file in that directory. It will not grant permission to list the contents of the bucket.
In my S3 logs I see multiple requests from NSPlayer and all the requests are like below:
[29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67
REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3
"GET /bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200
- 4122705 5639543 6305 58
"http://m.xxxxxxw.com /" "NSPlayer/12.00.9651.0000
WMFSDK/12.00.9651.0000" -
I want to deny access to this useragent and I have written the bucket policy as well as the user policy to deny the access. However, still the access is not getting denied. Could you please help me to figure out why its happening?
Here is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtxxxxxxxxx0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx3:user/bucket"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotLike": {
"aws:UserAgent": "NSPlayer"
}
}
}
]
}
Please let me know how to fix this!
This is the reply I got from Amazon:
You almost have the correct policy on the bucket to block access from that user agent. The tricky part is that you're allowing access to the individual objects via public-read ACLs, so you can't use an restrictive "Allow" statement on the bucket. You'll need to explicitly deny that user agent from performing GET requests.
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:UserAgent": "*NSPlayer*"
}
}
}
]
}
The above policy will block any access to the bucket from anywhere, if NSPlayer is in the UserAgent string.
Also as FYI, Bucket Policy takes precedence over the User policy.
I'm having a tough time figuring out how to make this work. Our client runs a Lambda function to generate data to write to our bucket. Lambda assumes a role and because of that (I think) all our attempts to allow the client's entire account access to the bucket still result in an AccessDenied error.
In looking at our logs I see the AccessDenied is returned for the STS assumed-role. However, S3 console won't allow me to add a policy for a wildcard Principal, and the assumed role's session ID changes each session.
My guess from the sparse documentation is that we need to provide a trust relationship to the lambda.amazonaws.com service. But I can't find any documentation anywhere on how to limit that to just access from a specific Lambda function or account.
I would like to have something like this but with further constraints on the Principal so that it's not accessible by any account or Lambda function.
{
"Version": "2012-10-17",
"Id": "Policy11111111111111",
"Statement": [
{
"Sid": "Stmt11111111111111",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name-here/*",
"arn:aws:s3:::bucket-name-here"
]
}
]
}
UPDATE
This policy doesn't even work. It still returns an AccessDenied. The user listed in the logs is in the form of arn:aws:sts::111111222222:assumed-role/role-name/awslambda_333_201512111822444444.
So at the point I'm at a loss as to how to even allow a Lambda function to write to an S3 bucket.
We resolved this eventually with help from the IAM team.
IAM roles do not inherit any permission from the account so they need permissions assigned explicitly to the assumed role for the Lambda script.
In our case the Lambda script was also trying to grant the destination bucket owner full control of the copied file. The role assumed by the Lambda function was missing permissions for s3:PutObjectAcl.
After we added the permission the lambda function began working correctly.
The destination policy that we have working now is something like this:
{
"Version": "2012-10-17",
"Id": "Policy11111111111111",
"Statement": [
{
"Sid": "Stmt11111111111111",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"aws:userid": "ACCOUNT-ID:awslambda_*"
}
}
},
{
"Sid": "Stmt11111111111111",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:userid": "ACCOUNT-ID:awslambda_*"
}
}
},
{
"Sid": "Stmt11111111111111",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0000000000000:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt11111111111111",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0000000000000:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
To Allow Cross account lambda function to get access of s3 bucket
following policy we need to add to s3 bucket policy externally
{
"Sid": "AWSLambda",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "arn:aws:iam::<AccountID>:root"
},
"Action": "s3:GetObject",
"Resource": "<AWS_S3_Bucket_ARN>/*"
}
Following Template will help you to allow cross account Lambda function to access s3 bucket
Parameters:
LamdaAccountId:
Description: AccountId to which allow access
Type: String
Resources:
myBucket:
Type: 'AWS::S3::Bucket'
Properties: {}
Metadata:
'AWS::CloudFormation::Designer':
id: e5eb9fcf-5fe2-468c-ad54-b9b41ba1926a
myPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref myBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: Stmt1580304800238
Action: 's3:*'
Effect: Allow
Resource:
- !Sub 'arn:aws:s3:::${myBucket}/*'
Principal:
Service: lambda.amazonaws.com
AWS:
- !Sub '${LamdaAccountId}'