- Newest
- Most votes
- Most comments
Hi,
There are two corrections required in your bucket policy:
- 1.2 should not be enclosed in double quotes.
- There would be a comma in resource section
Your bucket policy should look like as below:
{
"Sid": "EnforceTLSv12orHigher",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
},
"NumericLessThan": {
"s3:TlsVersion": 1.2
}
}
}
Just FYI, this policy would allow http connection and deny https connection where TLS version is lesser than 1.2. I believe you understand that.
Hope you find this information helpful.
Comment here if you have additional questions, happy to help.
Abhishek
Hello,
The only error I see in your Bucketpolicy is a missing semicolon between the two resources.
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
Also your bucketpolicy is currently allowing http. because it only denies https traffic lower than tls 1.2
Check the errormessage:
Easiest: Check if cloudtrail logged the api call for s3:PutInventoryConfiguration by default (management events). If not you prob. have to create a cloudtrail trail and enable DataEvent Logging. Not sure if it is a managementevent or cloudtrail event.
Moderate: You can try to customize the role used for creating the inventory to allow you to assume it and then try the process manually to get the errormessage either via cli oder console.
Sincerely Heiko
Thank you - as I mentioned above with the TLS rule in place the batch process for replicating existing objects fails with the following error "Error occurred when preparing manifest: Access denied when accessing arn:aws:s3:::<bucketname>. s3:PutInventoryConfiguration required for the role."
The batch process has an associated role which explicitly allows the PutInventoryConfiguration action on the source bucket. Every thing works fine until I re-instate the rule to restrict tls >= 1.2 for https.
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Do you have any additional questions, happy to help.
Thanks - I have tried making the changes in the console for the bucket in question, but on saving the changes the double quotes get re-instated automatically (unfortunately the missing comma was an error in translation when I replaced the original <bucketname> when creating my post. Additionally, with this part of my policy in place, the batch process for replicating existing objects fails with the following error ( but succeeds when I remove the EnforceTLSv12orHigher rule )
"Error occurred when preparing manifest: Access denied when accessing arn:aws:s3:::<bucketname>. s3:PutInventoryConfiguration required for the role."
Let me test this.
I verified this through Curl and was able to test this policy with success, where I downloaded file successfully using tls1.2 but failed when used tls1.0. I'm trying to find some documentation to confirm which TLS version is being used under the hood. I know this that AWS CLI uses latest version of tls by default, which is why I haven't tried PutInventoryConfiguration through CLI but I'll try that as well here.