Adding S3 Bucket Policy Cause S3 Replication Failed
0
Hello, Can anyone help me below case? I wanted my bucket to access from specific IPs only, otherwise deny. I set up S3 bucket policy as follow:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "x.x.x.x"
},
"Bool":{
"aws:ViaAWSService":"false"
}
}
}
]
}
For S3 replication, I configured S3 Replication Rule as per AWS Docs by setting policies and attaching to IAM role as follow:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"s3.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Resource":[
"arn:aws:s3:::SourceBucket"
]
},
{
"Effect":"Allow",
"Action":[
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource":[
"arn:aws:s3:::SourceBucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource":"arn:aws:s3:::DestinationBucket/*"
}
]
}
Without bucket policy, objects are replicated smoothly. Once I add the bucket policy, replication is failed every time. I have no idea.
Regards, Ohnmar
Topics
asked a month ago4 views
1 Answers
0
Accepted Answer
Have you tried specifically allowing the role being used for replication in the bucket policy? Like this:
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "x.x.x.x"
},
"Bool": {
"aws:ViaAWSService":"false"
},
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::<account id>:role/service-role/<role name>"
}
}
answered a month ago
Relevant questions
Adding S3 Bucket Policy Cause S3 Replication Failed
Accepted Answerasked a month agoI get a 'forbidden error' when attempting to upload images.
asked 2 years agoCloudformation - Check if S3 folder exists and apply policy to the specific folder
Accepted Answerasked a month agoS3 Bucket Security
asked 5 months agoCreate User to Use S3 API with Restricted Permissions
Accepted Answerasked 5 days agoAccess denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
asked 6 months agoIP access restriction on S3
asked a year agoS3 access policy Limit PUT function
asked 2 months agogrant access to one role in another account to all objects in an S3 bucket?
asked 9 months agoAccess bucket s3 from a role on another account
asked 8 months ago
Thanks Ed, it did worked.