I want to be able to allow users created through IAM to be able to view one specific bucket in the management console. Furthermore, I want to restrict it to a folder within the bucket, such that the permissions would be:
S3 Console access for my-bucket/folder/*
How would I do this using the policy generator? I currently have:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
However, when I modify the Resource location -- arn:aws:s3:::my-bucket/folder -- it prevents the user from being able to use the console at all. Is this possible to do and what do I need to do to be able to fix this?
The policy for this reminded me of doing an Euler apporximation, but this is how I did it (with comments to explain):
{
"Statement": [
{ // first, allow unlimited access for S3
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{ // second, deny access to all buckets except for the particular bucket
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
list-of-my-other-buckets
]
},
{ // third, since we've already given * permissions, the bucket has full
// permissions, and we need to restrcit all the permissions we don't want to give
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Related
I have setup a AWS SFTP server with custom api gateway identity provider. The user is created as SFTP/username in secrets manager with following key, value pairs -
Password: <passwordvalue>
Role: <roleARN> // roleARN policy is as follows
HomeDirectory: /<s3bucketname>/<username>
The roleARN's policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketContents",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3bucketname>"
},
{
"Sid": "AllUserReadAccessInUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/*"
]
},
{
"Sid": "AllUserFullAccessForToFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/*"
]
},
{
"Sid": "AllUserReadAccessForFromFolders",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/From/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/",
"arn:aws:s3:::<s3bucketname>/<username>/From/"
]
}
]
}
With the current policy I have correct permissions for a specific user and the permissions/access is working as expected, but the problem is the hardcoded user in the policy.
I now have to create one more user for SFTP in secrets manager and was expecting to use the same IAM role what I have used for first user. I found that this can be achieved using session policies (https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html) that I can use same role/policy for multiple sftp users in secrets manager.
But I am having hard time getting it to work.
When I am replacing in the policy - the s3bucketname with ${transfer:HomeBucket}
and related values as mentioned in the session policies link above - I was expecting it to work, but I kept running into access denied issues when trying to list the s3 bucket contents via SFTP client.
Can someone help me understand what am I missing here, any help greatly appreciated.
Got to know that I need to use HomeDirectoryDetails instead of HomeDirectory the logical directory - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
Thanks.
I am trying to restrict an IAM role to only be able to access a specific subfolder (key prefix) in an S3 bucket. Here's the policy JSON I'm using, but currently the user can still access other folders in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListBucketVersions",
"s3:ListBucketByTags",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::mybucket/datasets/company1/*"
]
}
]
}
Currently, using this role I can still do, e.g.
aws s3 cp s3://mybucket/datasets/company2/dataset.csv
and download the dataset. What am I doing wrong?
When I try and simulate the policy it seems to be correct (trying to getObject on mybucket/datasets/company2/dataset.csv fails implicitly, but this does not happen in practice. There are no other policies attached to this user.
I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Just to compliment #c4urself answer. the answer help solve my issue as well, but there is some indication from AWS documentation, which you can add more than one resource, just use [] to make them a list.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
Update Bucket policy as below
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}
Just make the resource and array/list of resources and add an item to the list with /* as s3:GetObject applies to arn:aws:s3:::my_secure_bucket/*. See below
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"
I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/* publicly readable. But want to prevent access to bucketname/*/hidden/* for any users that are not expressly given access in IAM.
I can do that with a bucket policy like:
{
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Principal": {
"AWS": [ "*" ]
}
},
{
"Sid": "Stmt124",
"Action": [ "s3:GetObject" ],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucketname/*/hidden/*",
"Principal": {
"AWS": [ "*" ]
}
]
}
But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?
According to AWS support, this is currently not possible. Any Deny policy overrides a matching (or subset) Allow policy and there is no way to deny anonymous access only.
A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*, but that is not as flexible and must be applied manually.
You don't need to set the policy on the bucket. In fact you can apply this same policy on the IAM user or group depending on what works best in your scenario.
https://console.aws.amazon.com/iam/home?#
Users
Select desired user
Click permissions tab
Attach user policy
Custom policy
Select
Copy and paste policy
Apply Policy
Sometimes extra permissions need to be added to the user so they can see the buckets to navigate. If for example they're using cloud berry you will need to give them list access to the main buckets. See for example one of my policies.
{
"Statement": [
{
"Sid": "Stmt1330983243489",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<allowbucket1>",
"arn:aws:s3:::<allowbucket1>/*"
]
},
{
"Sid": "Stmt1330983260440",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1330983357419",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Using AWS S3. I have a mixture of video and photo files. All of which are in their respective sub-directories. All files are set to private. I am getting AccessDenied when I try to access a video file. The other files are fine.
I tried this to no avail:
{
"Id": "Policy1331547131417",
"Statement": [
{
"Sid": "Stmt1331546963174",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547083926",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/photos/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1331547130024",
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/banners/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
My bucket policy is the same for videos, photos, and banners. ACL permissions are also the same for all files. So why am I not able to access files from my videos directory?
How do you actually try to access your video files, i.e. by means of which tool, service, API?
The access method in use might actually require permission for the s3:ListBucket action as well, e.g. a JavaScript video player widget might implicitly look for various file formats of the video in question to present a respective selection to your user - you'll need to be aware of the difference between Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject), see my answer to Problems specifying a single bucket in a simple AWS user policy for more details on this.
Extending your video bucket policy accordingly might remedy this issue, e.g. (policy fragment only):
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::actual_bucket_name_here/uploads/users/*/videos",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Please note that this policy fragment addresses the bucket, where yours only addresses the objects therein and both fragments are required - as mentioned above, this subtle difference is explained in my answer to Problems specifying a single bucket in a simple AWS user policy.
In addition to Steffen Opel answer.
Below is what worked for me.
{
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::BUCKET_NAME/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}