Not Able To Create a New Bucket - Policy Permissions Appear Correct

0

Hello,

I wanted to see if someone could point me in the right direction towards an AccessDenied error that I receive when creating a new Bucket via the CLI (I am not able to create via the web GUI, as that is not allowed for this account via my company's IT policy).

I do not seem to get any more specific info, other than CLI output of " An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied ". I receive this same error, whether I create directly via the commands s3 mb or s3api, or create as part of a cloudformation template (the stack create fails once this happens).

Checking Cloudtrail event logs, I confirmed that the correct role is being passed through the CLI, that I think should have more than sufficient permissions in its policy (listed at the bottom). Cloudtrail does not appear to show any other error details outside of "Access Denied".

Wanted to see if there may be an action or resource type that I may be missing generally to create a bucket?

Thanks,
Justin

{
"Effect": "Allow",
"Action": [
"cloudformation:",
"logs:
",
"s3:",
"kms:
"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/devops*",
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/IoT-Sitewise*",
"arn:aws:logs:us-east-1:ACCOUNT_NUMBER_HERE:log-group:/aws/",
"arn:aws:s3:::bucket
",
"arn:aws:s3:::${BucketName}",
"arn:aws:s3:::AccountPublicAccessBlock*",
"arn:aws:s3:::object*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3/",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:key
",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:alias*"
]
}

Edited by: jf04145 on Nov 5, 2021 12:26 PM

jf04145
已提问 3 年前2072 查看次数
9 回答
0

Gotcha, thanks, I will give that a try

jf04145
已回答 3 年前
0

Thanks again. I was able to separate out the S3 permissions from the rest, but in order to put a wildcard on the S3 resource-id, I added a resource tag filter for the bucket per my organization's security requirements.

I have added this same resource tag/value to the S3 bucket resource in my Cloudformation template, and I think my syntax is correct (syntax verification passed at least), but I receive AccessDenied still on bucket creation within the CF stack. I've attached the new S3 policy items and CF template resource, in case there's something sticking out that I missed.

I can also attach the error event from CloudTrail if helpful.

Thanks again

{
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::*"
]
}

Resources:
IoTSitewiseExportToS3DestinationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Sub ${BucketName}
AccessControl: Private
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: "component"
Value: "sitewise_bridge"

Edited by: jf04145 on Nov 10, 2021 8:56 AM

jf04145
已回答 3 年前
0

Are you able to share you cloud formation template?
Happy for you to send me this as a private message if you don't want to share it on a public forum.

Also just to check, you are including the policy statement within the following JSON:
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
<<statement goes here>>
]
}

已回答 3 年前
0

Thanks Tom - I will PM over my CF template and the policy in it's entirety if that works.

To your point, I am missing the ID entry in the policy, so I can definitely add that, have seen some other policies in my org that do not have it (for what it's worth).

Let me know if you don't see the message and I can resend (it appears to have sent but doesn't show in my sent messages yet)

Edited by: jf04145 on Nov 16, 2021 10:41 AM

jf04145
已回答 3 年前
0

Ok, I think I've identified the problem. You've applied a resource tag condition to the Bucket Creation, however tags wouldn't be applied until after a bucket is created. You need to separate out the create bucket, and don't apply a condition to it. Try this policy and let me know how you get on:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::
"
]
}

已回答 3 年前
0

Thanks a bunch Tom, I will give that a try and report back.

jf04145
已回答 3 年前
0

repost

Edited by: jf04145 on Nov 24, 2021 10:39 AM

jf04145
已回答 3 年前
0

Thanks, Tom, that looks to have resolved my issue, I'm able to create the bucket via my Cloudformation template now. I really appreciate the help digging into this.

jf04145
已回答 3 年前
-1

The statement is correct, but you need to separate out the List Bucket and create bucket actions into another statement, as you need to apply a wild card for the resource-id part of the ARN. Add this to your statement and it should work. Worked for me when I tested it in the IAM Policy Simulator.

    {  
        "Sid": "s3statement",  
        "Effect": "Allow",  
        "Action": \[  
            "s3:CreateBucket",  
            "s3:ListAllMyBuckets",  
            "s3:GetBucketLocation"  
        ],  
        "Resource": \[  
            "arn:aws:s3:::*"  
        ]  
    }
已回答 3 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容