Why am I getting AccessDenied with videos? - amazon-s3

Using AWS S3. I have a mixture of video and photo files. All of which are in their respective sub-directories. All files are set to private. I am getting AccessDenied when I try to access a video file. The other files are fine.
I tried this to no avail:
{
"Id": "Policy1331547131417",
"Statement": [
{
"Sid": "Stmt1331546963174",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547083926",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/photos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547130024",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/banners/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
My bucket policy is the same for videos, photos, and banners. ACL permissions are also the same for all files. So why am I not able to access files from my videos directory?

How do you actually try to access your video files, i.e. by means of which tool, service, API?
The access method in use might actually require permission for the s3:ListBucket action as well, e.g. a JavaScript video player widget might implicitly look for various file formats of the video in question to present a respective selection to your user - you'll need to be aware of the difference between Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject), see my answer to Problems specifying a single bucket in a simple AWS user policy for more details on this.
Extending your video bucket policy accordingly might remedy this issue, e.g. (policy fragment only):
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Please note that this policy fragment addresses the bucket, where yours only addresses the objects therein and both fragments are required - as mentioned above, this subtle difference is explained in my answer to Problems specifying a single bucket in a simple AWS user policy.

In addition to Steffen Opel answer.
Below is what worked for me.
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::BUCKET_NAME/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}

Related

S3 keep entropy high for cognito-identity.amazonaws.com:sub user directory

I am authenticating each user via Cognito and each user has a folder everyone can read from but only he can write to it. Works like a charm.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadingOthers",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111:role/Cognito_Auth_Role"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxxxx/*"
},
{
"Sid": "AllowUploadIntoHomeDirectory",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111:role/Cognito_Auth_Role"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::xxxxxx/user/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
The problem is the entropy for the folder names is very low since every folder starts with "us-east-1:", which can result in performance problems later on.
My workaround is to add additional entries with a "random" (aa-zz) start and add this to the database and the rules. Works too, but I want to avoid having that many rules for my bucket if possible.
"Resource": [
"arn:aws:s3:::xxxxxx/user/aa${cognito-identity.amazonaws.com:sub}/*"
"arn:aws:s3:::xxxxxx/user/ab${cognito-identity.amazonaws.com:sub}/*"
"arn:aws:s3:::xxxxxx/user/ac${cognito-identity.amazonaws.com:sub}/*"
.
.
.
"arn:aws:s3:::xxxxxx/user/zy${cognito-identity.amazonaws.com:sub}/*"
"arn:aws:s3:::xxxxxx/user/zz${cognito-identity.amazonaws.com:sub}/*"
]
Is there another way to add entropy with cognito-identity.amazonaws.com:sub?

Using two policies together in a single S3 bucket

I am new to Amazon S3 and just created my first bucket. I need two important policies to be implemented on the bucket which are as follows:
First, policy for allowing only downloads from my own website (via HTTP referrer)
Secondly, I want to make all objects in the bucket public.
I have got two different codes of policies for my needs, but now I can't put them together to achieve the said goals. Please help me joining these too policies together so I achieve what I want.
For allowing referrer downloads:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"URL/*",
]
}
}
}
]
}
For making objects public:
{
"Sid": "...",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [ "*" ]
}
}

How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket

I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Just to compliment #c4urself answer. the answer help solve my issue as well, but there is some indication from AWS documentation, which you can add more than one resource, just use [] to make them a list.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
Update Bucket policy as below
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}
Just make the resource and array/list of resources and add an item to the list with /* as s3:GetObject applies to arn:aws:s3:::my_secure_bucket/*. See below
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"

Amazon S3 bucket policy for public restrictions only

I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/* publicly readable. But want to prevent access to bucketname/*/hidden/* for any users that are not expressly given access in IAM.
I can do that with a bucket policy like:
{
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Principal": {
"AWS": [ "*" ]
}
},
{
"Sid": "Stmt124",
"Action": [ "s3:GetObject" ],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucketname/*/hidden/*",
"Principal": {
"AWS": [ "*" ]
}
]
}
But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?
According to AWS support, this is currently not possible. Any Deny policy overrides a matching (or subset) Allow policy and there is no way to deny anonymous access only.
A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*, but that is not as flexible and must be applied manually.
You don't need to set the policy on the bucket. In fact you can apply this same policy on the IAM user or group depending on what works best in your scenario.
https://console.aws.amazon.com/iam/home?#
Users
Select desired user
Click permissions tab
Attach user policy
Custom policy
Select
Copy and paste policy
Apply Policy
Sometimes extra permissions need to be added to the user so they can see the buckets to navigate. If for example they're using cloud berry you will need to give them list access to the main buckets. See for example one of my policies.
{
"Statement": [
{
"Sid": "Stmt1330983243489",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<allowbucket1>",
"arn:aws:s3:::<allowbucket1>/*"
]
},
{
"Sid": "Stmt1330983260440",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1330983357419",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}

Granular policy document permissions in AWS

I want to be able to allow users created through IAM to be able to view one specific bucket in the management console. Furthermore, I want to restrict it to a folder within the bucket, such that the permissions would be:
S3 Console access for my-bucket/folder/*
How would I do this using the policy generator? I currently have:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
However, when I modify the Resource location -- arn:aws:s3:::my-bucket/folder -- it prevents the user from being able to use the console at all. Is this possible to do and what do I need to do to be able to fix this?
The policy for this reminded me of doing an Euler apporximation, but this is how I did it (with comments to explain):
{
"Statement": [
{ // first, allow unlimited access for S3
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{ // second, deny access to all buckets except for the particular bucket
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
list-of-my-other-buckets
]
},
{ // third, since we've already given * permissions, the bucket has full
// permissions, and we need to restrcit all the permissions we don't want to give
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}