Permission help requested

Question

I am trying to lock down some buckets and running into a problem.  I don't know if at one time people changed things, but some files are coming up denied, others show fine.  Basically I want the whole bucket locked down with the exception of one file, and one IAM user that can upload, change, etc.   So here is the only policy the bucket has;  
  
{  
    "Version": "2019-05-05",  
    "Id": "Policy1557155133616",  
    "Statement": \[  
        {  
            "Sid": "Stmt1557154959314",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": "arn:aws:iam::account#:user/myuser"  
            },  
            "Action": "s3:*",  
            "Resource": "arn:aws:s3:::bucket/*"  
        },  
        {  
            "Sid": "Stmt1557155073989",  
            "Effect": "Allow",  
            "Principal": "*",  
            "Action": "s3:GetObject",  
            "Resource": "arn:aws:s3:::bucket/folder/file.js"  
        }  
    ]  
}  
  
Now that above to me says give myuser full access, everyone else has nothing except that one file.js .   The problem is there are other files in that bucket, I can click and it shows them fine.  When I look at a file, the permissions, there is nothing explicit so I am now lost!  
  
I have transmit (running on a mac) and if I manually set none to read/write it says access denied.  
  
Basically I want to reset the permissions on ALL files to no access, just one readable.  I don't see any simple GUI way or even a CLI way to say reset all permissions on all the files to nothing, then via the bucket policy explicitly set that one file.  
  
Any help is appreciated.

rtt · Accepted Answer

Hello  
  
How are you logged in going to S3? and how are you accessing test2 when you get access denied?  
if you are logged in AWS and clicking on the URL for test2 and you get an access denied it is because the file is not public. The url for test2 does not have a way to authenticate/authorize who you are, it is just a url.  If you click on the download file, it should work because it has the security token associate it with it.  
  
hope this helps  
RT

rtt · Answer

Hello  
A few things:  
- When you create a bucket policy, the individual files will inherit the policy.   
- the current policy is not "explicitly denying" any access, so if people have IAM (user, group, role) permissions to access the objects in that bucket, they will get those objects.  
- if you want to make sure that only few people can access objects in that bucket, you will have to create a policy that includes a DENY for NotPrincipal which means deny for everyone except this user  
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html  
- and if you want to deny access to all objects except for one, you could add also a DENY wtih a not resource which means deny for all objects except this one  
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

these two links may come handy too  
IAM policy simulator to test your policies  
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html  
  
become a policy ninja  
https://www.slideshare.net/AmazonWebServices/become-an-iam-policy-ninja  
  
hope this helps  
RT

xlancealotx · Answer

Here is the most basic issue that I am using to try to get that understood, I have a test bucket, 2 text files and here is what I have;  
  
{  
    "Version": "2012-10-17",  
    "Id": "Policy1556908483700",  
    "Statement": \[  
        {  
            "Sid": "Stmt1556908464159",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": "arn:aws:iam::11111111111:user/lance"  
            },  
            "Action": "s3:GetObject",  
            "Resource": "arn:aws:s3:::zzztest/test2.txt"  
        },  
        {  
            "Sid": "Stmt1556908464159",  
            "Effect": "Allow",  
            "Principal": "*",  
            "Action": "s3:GetObject",  
            "Resource": "arn:aws:s3:::zzztest/test1.txt"  
        }  
    ]  
}  
  
To me the above says, the world can see test1.txt and only my user can see test2.txt.    Well I save that, and I can see 1 just fine, 2 I get an error from the public side.  But logged in, going to S3 (or the URL), I can click the bucket, I can see the 2 files, but test2 says access denied.  So, before I start getting really te

xlancealotx · Answer

Thanks, I am trying to logically go through this in my head, as if this was linux I would just say hey chmod 600 *, then allow read to that one file and be done.  
  
So logically I am trying to say;  
  
User: me (allow all)  
everyone else deny all except file.html which should be allowed read by world.  
  
According to the NotPrincipal with Allow it states "We strongly recommend that you do not use NotPrincipal in the same policy statement as "Effect": "Allow"."    So, what is the best method to say deny all unless it's this file AND allow all to this user (even in laymen's terms).  
  
Thanks

Permission help requested

Add your answer

Relevant content