By using AWS re:Post, you agree to the Terms of Use

Unanswered Questions tagged with IAM Policies

Sort by most recent
  • 1
  • 2
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 bucket replication fail in multi account architecture

I have landing zone architecture . A account has source bucket which is encrypted by KMS CMK B account has desination bueckt which is also encrypted by KMS CMK (different key with A account) KMS CMK was created in C account. I tried to configure s3 bucket replication from source bucket to destination bucket, but it keeps failing. Configuration information is like below: ``` <p>1. IAM policy (1) A-account ( create by s3 replication configuration) (trust relationships with s3) { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name", "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::source-bucket-name/*", "arn:aws:s3:::destination-bucket-name/*" ] }, { "Action": [ "kms:Decrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::source-bucket-name/*" ], "kms:ViaService": "s3.ap-northeast-2.amazonaws.com" } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:A-account-id:key/source-bucket-encryption-key" ] }, { "Action": [ "kms:Encrypt" ], "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::destination-bucket-name/*" ], "kms:ViaService": [ "s3.ap-northeast-2.amazonaws.com" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-northeast-2:B-account-id:key/destination-bucket-encryption-key" ] } ] } (2) B-account NO IAM ROLE 2. S3 bucket policy (1)A-account No bucket policy (2)B-account { "Version": "2012-10-17", "Statement": [ { "Sid": "Set permissions for objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource": "arn:aws:s3:::shbw-an2-sop-log-s3-repl-test/*" }, { "Sid": "Set permissions on bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:role/service-role/s3crr_role_for_source-bucket-name" }, "Action": [ "s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::destination-bucket-name" }, { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::A-account-id:root" }, "Action": "s3:ObjectOwnerOverrideToBucketOwner", "Resource": "arn:aws:s3:::destination-bucket-name/*" } ] } 3. KMS Key policy (1) A-account , B-account { "Version": "2012-10-17", "Id": "Key-Policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::C-account-id:root", > key owner "arn:aws:iam::A-account-id:root", "arn:aws:iam::B-account-id:root" ] }, "Action": "kms:*", "Resource": "*" } ] } ``` Please help me to complete bucket replicatoin!
0
answers
0
votes
21
views
asked a month ago

Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrl

I'm trying to restrict the S3 bucket used for **StackSet** templates with the IAM condition **cloudformation:TemplateUrl**, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy. The [doc page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions) explains that you can use the condition as usual, but there is a Note that is not clear for me: ![Enter image description here](/media/postImages/original/IMUjPviuTuSAaoxl5HvXktBQ) For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set. Thank for your help! ``` { "eventVersion": "1.08", [...] "eventTime": "2022-08-09T15:42:50Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStackSet", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "stackSetName": "test-deny1", "templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml", "description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.", "clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e", "capabilities": [ "CAPABILITY_IAM" ] }, "responseElements": { "stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6" }, [...] } ``` For reference my IAM Policy: ``` { "Sid": "TemplateFromTrustedBucket", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet" ], "Resource": "*", "Condition": { "StringLike": { "cloudformation:TemplateURL": "https://s3.amazonaws.com/trusted-bucket/*" } } } ```
0
answers
0
votes
53
views
profile picture
asked a month ago

Renaming object in S3 console fails if ListAllMyBuckets permission is not provided

Hi, I have had a problem with a user not being able to rename an S3 object through the AWS console, despite having the all the permissions over the bucket and the bucket objects. The associated IAM policy for the user is this: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::s3-bucket-name", "arn:aws:s3:::s3-bucket-name/*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::s3-bucket-name" } ] } ``` When the user tries to rename a file in the S3 bucket, the console complains about *s3:PutObject* permission, which is granted, and sees an "Access denied" error in the AWS console. ![Access denied when renaming S3 object](https://repost.aws/media/postImages/original/IMX4V3P7N4TxiGZDcqeKXZPg) The weirdest thing of all is that the problem is solved by adding the *ListAllMyBuckets* permission, and once added to the user's IAM policy, the user is able to rename objects without a problem. This behavior is also documented on StackOverflow, in [this](https://stackoverflow.com/questions/33926553/aws-rename-permissions/63348973#63348973) and [this](https://stackoverflow.com/questions/42984344/renaming-object-from-in-aws-s3-console-with-iam-user/42996548#42996548) answers. In addition, a StackOverflow user comments that this operation only fails through the AWS console, and that it works using the CLI. To me, fixing it through adding *ListAllMyBucket* permission doesn't make any sense, and allows the user to see other bucket names.
0
answers
0
votes
37
views
profile picture
asked 2 months ago

Network error when creating a labeling job - S3 bucket in input dataset location cannot be reached

Currently trying to set up an AWS Sagemaker Named Entity Recognition (NER) labeling job with this guide: https://aws.amazon.com/blogs/machine-learning/adding-a-data-labeling-workflow-for-named-entity-recognition-with-amazon-sagemaker-ground-truth/ I successfully uploaded my dataset to S3, but when I create my job I get this error: NetworkingError: Network Failure - The S3 bucket 'foreign-news-dataset' you entered in Input dataset location cannot be reached. Either the bucket does not exist, or you do not have permission to access it. If the bucket does not exist, update Input dataset location with a new S3 URI. If the bucket exists, give the IAM entity you are using to create this labeling job permission to read and write to this S3 bucket, and try your request again. I've tried testing if the dataset exists, which it does, and AWS successfully generated a manifest file for my dataset when passing in the S3 path to the dataset directory (I originally tried using the automated data setup option). I also created an IAM role inside of the AWS tool with permissions to access all of the files on the account, so I think it should have permission to this S3 Bucket. Screenshots attached of my setup. [S3 Bucket Setup](https://i.stack.imgur.com/ONCkS.png) ![Sagemaker settings](https://repost.aws/media/postImages/original/IMjJiklt0LTVevhV8E3TtDMw) ![IAM role settings](https://repost.aws/media/postImages/original/IMXTPxA2x6TCamXVrI12fsrQ)
0
answers
0
votes
51
views
asked 2 months ago
  • 1
  • 2
  • 12 / page