Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

creating IAM policy for Amazon S3

Tags:

amazon-s3

I am trying to implement an IAM policy where A user can only have access to the folder he is entitled too. I got this code from Amazon docs

Allow a user to list only the objects in his or her home directory in the corporate bucket

This example builds on the previous example that gives Bob a home directory. To give Bob the ability to list the objects in his home directory, he needs access to ListBucket. However, we want the results to include only objects in his home directory, and not everything in the bucket. To restrict his access that way, we use the policy condition key called s3:prefix with the value set to home/bob/. This means that only objects with a prefix home/bob/ will be returned in the ListBucket response.

{
  "Statement":[{
    "Effect":"Allow",
    "Action":"s3:ListBucket",
    "Resource":"arn:aws:s3:::my_corporate_bucket",
    "Condition":{
      "StringLike":{
      "s3:prefix":"home/bob/*"
    }
  }]
}

This is not working for me. When I run my code I am able to see all the folders and sub folders. My modified code looks something like this:

{
  "Statement":[{
    "Effect":"Allow",
    "Action":"s3:ListBucket",
    "Resource":"arn:aws:s3:::Test-test",
    "Condition":{
      "StringLike":{
      "s3:prefix":"Test/*"
    }
  }]
}

When I run my code in c# using the credentials of the user that is attached to the above policy I get all the folders and not just the one under "Test"... Would really appreciate some help!

like image 702
Abhi.Net Avatar asked Jan 17 '23 17:01

Abhi.Net


2 Answers

I finally got it working. Although I think there is a bug in AWS management console or atleast it seems like one. The problem is my policy was right all along the way but it behaved differently when I accessed it through AWS management console then softwares like CloudBErry. One thing I had to modify was ACL settings for objects and buckets.That too would have been done earlier had the AWS console worked properly. Anyways here is my policy:

{
  "Statement": [

    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": "arn:aws:s3:::pa-test",
      "Condition": {
        "StringLike": {
          "s3:prefix": "test/*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::pa-test/test/*",
      "Condition": {}
    }
  ]
}

1) The problem is when I access management console for this IAM user through AWS console I get access denied when I click on my bucket although when I log in through Cloudberry I can see my folders. 2) I had to modify the ACL settings for my bucket and objects(folders) for my bucket: Owner : Full Control Authenticated Users : Readonly

For my folders: Owner : Full Control

Now the issue is that you cannot set ACl settings for folders(object) in AWS console. You can set them for files(object). For example if you right click on a folder(object) inside a bucket and then click properties it won't show you a permission tabs. But if you right click on a bucket or a file(Say test.html) and click properties it will show you a permissions tab. I am not sure if someone else has noticed this issue. Anyways that is my script and it's working now.

like image 199
Abhi.Net Avatar answered Jan 19 '23 08:01

Abhi.Net


The result you are expecting from the listBucket, is not happen like that. Because the policy only let you to access allow and deny on the objects according to the bucket policy. ListBucket will list all the objects but you will have access only on the prefix folder and it's content.

If you want to list only folder then you have to code for that like read IAM policy and then get prefix string and then list with that prefix then you will get only the desired folder. because till now no such option provided by amazon s3.

like image 32
Tej Kiran Avatar answered Jan 19 '23 08:01

Tej Kiran