By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Not Able To Create a New Bucket - Policy Permissions Appear Correct

0

Hello,

I wanted to see if someone could point me in the right direction towards an AccessDenied error that I receive when creating a new Bucket via the CLI (I am not able to create via the web GUI, as that is not allowed for this account via my company's IT policy).

I do not seem to get any more specific info, other than CLI output of " An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied ". I receive this same error, whether I create directly via the commands s3 mb or s3api, or create as part of a cloudformation template (the stack create fails once this happens).

Checking Cloudtrail event logs, I confirmed that the correct role is being passed through the CLI, that I think should have more than sufficient permissions in its policy (listed at the bottom). Cloudtrail does not appear to show any other error details outside of "Access Denied".

Wanted to see if there may be an action or resource type that I may be missing generally to create a bucket?

Thanks,
Justin

{
"Effect": "Allow",
"Action": [
"cloudformation:",
"logs:",
"s3:",
"kms:"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/devops*",
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/IoT-Sitewise*",
"arn:aws:logs:us-east-1:ACCOUNT_NUMBER_HERE:log-group:/aws/",
"arn:aws:s3:::bucket",
"arn:aws:s3:::${BucketName}",
"arn:aws:s3:::AccountPublicAccessBlock*",
"arn:aws:s3:::object*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3/",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:key",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:alias*"
]
}

Edited by: jf04145 on Nov 5, 2021 12:26 PM

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
jf04145
asked 2 years ago1879 views
9 Answers
0

Gotcha, thanks, I will give that a try

jf04145
answered 2 years ago
0

Thanks again. I was able to separate out the S3 permissions from the rest, but in order to put a wildcard on the S3 resource-id, I added a resource tag filter for the bucket per my organization's security requirements.

I have added this same resource tag/value to the S3 bucket resource in my Cloudformation template, and I think my syntax is correct (syntax verification passed at least), but I receive AccessDenied still on bucket creation within the CF stack. I've attached the new S3 policy items and CF template resource, in case there's something sticking out that I missed.

I can also attach the error event from CloudTrail if helpful.

Thanks again

{
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::*"
]
}

Resources:
IoTSitewiseExportToS3DestinationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Sub ${BucketName}
AccessControl: Private
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: "component"
Value: "sitewise_bridge"

Edited by: jf04145 on Nov 10, 2021 8:56 AM

jf04145
answered 2 years ago
0

Are you able to share you cloud formation template?
Happy for you to send me this as a private message if you don't want to share it on a public forum.

Also just to check, you are including the policy statement within the following JSON:
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
<<statement goes here>>
]
}

TomB-AWS
answered 2 years ago
0

Thanks Tom - I will PM over my CF template and the policy in it's entirety if that works.

To your point, I am missing the ID entry in the policy, so I can definitely add that, have seen some other policies in my org that do not have it (for what it's worth).

Let me know if you don't see the message and I can resend (it appears to have sent but doesn't show in my sent messages yet)

Edited by: jf04145 on Nov 16, 2021 10:41 AM

jf04145
answered 2 years ago
0

Ok, I think I've identified the problem. You've applied a resource tag condition to the Bucket Creation, however tags wouldn't be applied until after a bucket is created. You need to separate out the create bucket, and don't apply a condition to it. Try this policy and let me know how you get on:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::"
]
}

TomB-AWS
answered 2 years ago
0

Thanks a bunch Tom, I will give that a try and report back.

jf04145
answered 2 years ago
0

repost

Edited by: jf04145 on Nov 24, 2021 10:39 AM

jf04145
answered 2 years ago
0

Thanks, Tom, that looks to have resolved my issue, I'm able to create the bucket via my Cloudformation template now. I really appreciate the help digging into this.

jf04145
answered 2 years ago
-1

The statement is correct, but you need to separate out the List Bucket and create bucket actions into another statement, as you need to apply a wild card for the resource-id part of the ARN. Add this to your statement and it should work. Worked for me when I tested it in the IAM Policy Simulator.

    {  
        "Sid": "s3statement",  
        "Effect": "Allow",  
        "Action": \[  
            "s3:CreateBucket",  
            "s3:ListAllMyBuckets",  
            "s3:GetBucketLocation"  
        ],  
        "Resource": \[  
            "arn:aws:s3:::*"  
        ]  
    }
TomB-AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content