How to let user upload files to S3 bucket, but not overwrite or delete

amazon s3amazon-iam

I have the following IAM policy for a user

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1395161912000",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::bucketname"
      ]
    },
    {
      "Sid": "list",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

The goal is to let the user upload files to the bucket, but not overwrite or delete. It's for backup. I started out with ListBucket and PutObject, but added * as it didn't work. Not even * lets the user upload files, just getting Access Denied.

When I try the Simulator, it returns Denied - Implicitly denied (no matching statements found). for ListBucket, which seems odd since I've implicitly allowed that.

I've tried both Cyberduck and 3Hub as S3 clients.

Any idea what's wrong?

Best Answer

When crafting Amazon IAM policies for Amazon S3, you need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).

In particular, the Resource specification of your policy needs to address the appropriate target entities according to the following patterns (see e.g. the various Example Policies for Amazon S3):

Operations on Service - arn:aws:s3:::*
Operations on Buckets - arn:aws:s3:::<bucket>
Operations on Objects - arn:aws:s3:::<bucket>/<object>

Solution

You are encountering Access Denied, because you've specified a bucket level resource for PutObject, which requires an object level resource specification like arn:aws:s3:::<bucket>/* - accordingly, the following policy should cover your sample use case:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::bucketname"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucketname/*"
      ]
    }
  ]
}

Related Solutions

Causing Access Denied when using the aws cli to download from Amazon S3

I was struggling with this, too, but I found an answer over here https://stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.

You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user

Bucket to Copy from – SourceBucket

Bucket to Copy to – DestinationBucket

Source AWS Account ID - XXXX–XXXX-XXXX

Source IAM User - src–iam-user

The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*

On the SourceBucket the policy should be like:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::SourceBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: SourceBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

On the DestinationBucket the policy should be:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:PutObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1

Create an IAM Policy that allows everything except IAM except PassRole

To me, this seems likes a bug in the Policy Simulator. Even Amazon themselves declares a policy just like yours in an example of theirs. The simulator complains, but actually attaching this policy to a user works out fine.

What am I doing wrong with the named role?

To the best of my knowledge, nothing.

What could the security implications be by allowing PassRole for all (I'm assuming the policy simulator isn't fibbing).

Well, you'd be allowing the iam:PassRole action for any role. That basically means that a user with this policy would be able to launch an EC2 instance with any IAM role attached to it. It's also explained in the AWS documentation I linked above:

Alternatively, you could grant IAM users access to all your roles by specifying the resource as "*" in this policy. However, consider whether users who launch instances with your roles (ones that exist or that you'll create later on) might be granted permissions that they don't need or shouldn't have.

Best Answer

Solution

Related Solutions

Causing Access Denied when using the aws cli to download from Amazon S3

Create an IAM Policy that allows everything except IAM except PassRole

Related Topic