I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/* publicly readable. But want to prevent access to bucketname/*/hidden/* for any users that are not expressly given access in IAM.
I can do that with a bucket policy like:
{
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Principal": {
"AWS": [ "*" ]
}
},
{
"Sid": "Stmt124",
"Action": [ "s3:GetObject" ],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucketname/*/hidden/*",
"Principal": {
"AWS": [ "*" ]
}
]
}
But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?
According to AWS support, this is currently not possible. Any Deny policy overrides a matching (or subset) Allow policy and there is no way to deny anonymous access only.
A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*, but that is not as flexible and must be applied manually.
You don't need to set the policy on the bucket. In fact you can apply this same policy on the IAM user or group depending on what works best in your scenario.
https://console.aws.amazon.com/iam/home?#
Users
Select desired user
Click permissions tab
Attach user policy
Custom policy
Select
Copy and paste policy
Apply Policy
Sometimes extra permissions need to be added to the user so they can see the buckets to navigate. If for example they're using cloud berry you will need to give them list access to the main buckets. See for example one of my policies.
{
"Statement": [
{
"Sid": "Stmt1330983243489",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<allowbucket1>",
"arn:aws:s3:::<allowbucket1>/*"
]
},
{
"Sid": "Stmt1330983260440",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1330983357419",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Related
I have setup a AWS SFTP server with custom api gateway identity provider. The user is created as SFTP/username in secrets manager with following key, value pairs -
Password: <passwordvalue>
Role: <roleARN> // roleARN policy is as follows
HomeDirectory: /<s3bucketname>/<username>
The roleARN's policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketContents",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3bucketname>"
},
{
"Sid": "AllUserReadAccessInUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/*"
]
},
{
"Sid": "AllUserFullAccessForToFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/*"
]
},
{
"Sid": "AllUserReadAccessForFromFolders",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/From/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/",
"arn:aws:s3:::<s3bucketname>/<username>/From/"
]
}
]
}
With the current policy I have correct permissions for a specific user and the permissions/access is working as expected, but the problem is the hardcoded user in the policy.
I now have to create one more user for SFTP in secrets manager and was expecting to use the same IAM role what I have used for first user. I found that this can be achieved using session policies (https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html) that I can use same role/policy for multiple sftp users in secrets manager.
But I am having hard time getting it to work.
When I am replacing in the policy - the s3bucketname with ${transfer:HomeBucket}
and related values as mentioned in the session policies link above - I was expecting it to work, but I kept running into access denied issues when trying to list the s3 bucket contents via SFTP client.
Can someone help me understand what am I missing here, any help greatly appreciated.
Got to know that I need to use HomeDirectoryDetails instead of HomeDirectory the logical directory - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
Thanks.
I have a bucket that has these prefixes:
1_user/
2_user/
10_user/
Users have access to all bucket by default, but I want to deny access to this specific bucket to all prefixes except those listed above (read/write), for which I tried something like this:
{
"Version": "2012-10-17",
"Id": "BlockReadWriteListAccessExceptUser",
"Statement": [
{
"Sid": "BlockReadWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
},
{
"Sid": "AllowReadWriteAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/*_user"
}
]
}
I realized that for get and put, I cannot use conditions, so how can I achieve that?
Your bucket policy will not work because explicit deny always overrides the allows. I want to make this crystal clear. For example, say you want to add an object 999_user. The object ARN is arn:aws:s3:::mybucket/999_user, which matches the deny statement with sid "BlockReadWriteAccess". S3 will deny this request right away without even looking at the "AllowReadWriteAccess" statement.
How to achieve the behaviour you want? The policy element NotResource comes in handy in this case.
{
"Version": "2012-10-17",
"Id": "BlockReadWriteListAccessExceptUser",
"Statement": [
{
"Sid": "BlockReadWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"NotResource": "arn:aws:s3:::mybucket/*_user*"
}
]
}
I am new to Amazon S3 and just created my first bucket. I need two important policies to be implemented on the bucket which are as follows:
First, policy for allowing only downloads from my own website (via HTTP referrer)
Secondly, I want to make all objects in the bucket public.
I have got two different codes of policies for my needs, but now I can't put them together to achieve the said goals. Please help me joining these too policies together so I achieve what I want.
For allowing referrer downloads:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"URL/*",
]
}
}
}
]
}
For making objects public:
{
"Sid": "...",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [ "*" ]
}
}
Using AWS S3. I have a mixture of video and photo files. All of which are in their respective sub-directories. All files are set to private. I am getting AccessDenied when I try to access a video file. The other files are fine.
I tried this to no avail:
{
"Id": "Policy1331547131417",
"Statement": [
{
"Sid": "Stmt1331546963174",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547083926",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/photos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547130024",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/banners/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
My bucket policy is the same for videos, photos, and banners. ACL permissions are also the same for all files. So why am I not able to access files from my videos directory?
How do you actually try to access your video files, i.e. by means of which tool, service, API?
The access method in use might actually require permission for the s3:ListBucket action as well, e.g. a JavaScript video player widget might implicitly look for various file formats of the video in question to present a respective selection to your user - you'll need to be aware of the difference between Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject), see my answer to Problems specifying a single bucket in a simple AWS user policy for more details on this.
Extending your video bucket policy accordingly might remedy this issue, e.g. (policy fragment only):
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Please note that this policy fragment addresses the bucket, where yours only addresses the objects therein and both fragments are required - as mentioned above, this subtle difference is explained in my answer to Problems specifying a single bucket in a simple AWS user policy.
In addition to Steffen Opel answer.
Below is what worked for me.
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::BUCKET_NAME/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
I want to be able to allow users created through IAM to be able to view one specific bucket in the management console. Furthermore, I want to restrict it to a folder within the bucket, such that the permissions would be:
S3 Console access for my-bucket/folder/*
How would I do this using the policy generator? I currently have:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
However, when I modify the Resource location -- arn:aws:s3:::my-bucket/folder -- it prevents the user from being able to use the console at all. Is this possible to do and what do I need to do to be able to fix this?
The policy for this reminded me of doing an Euler apporximation, but this is how I did it (with comments to explain):
{
"Statement": [
{ // first, allow unlimited access for S3
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{ // second, deny access to all buckets except for the particular bucket
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
list-of-my-other-buckets
]
},
{ // third, since we've already given * permissions, the bucket has full
// permissions, and we need to restrcit all the permissions we don't want to give
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}