AWS S3 Bucket Permissions - Access Denied

45
votes

I am trying to give myself permission to download existing files in an S3 bucket. I've modified the Bucket Policy, as follows:

        {
        "Sid": "someSID",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123123123123:user/myuid"
            ]
        }
    }

My understanding is that addition to the policy should give me full rights to "bucketname" for my account "myuid", including all files that are already in that bucket. However, I'm still getting Access Denied errors when I try to download any of those files via the link that comes up in the console.

Any thoughts?

10
amazon-web-servicesamazon-s3
You say that this gives full rights to the bucket, but your Resource includes a prefix. Are all the files you are downloading in this prefix? Also, how are you downloading them? From the console, with an app, with an SDK?Bob Kinney

10 Answers

29
votes

Step 1

Click on your bucket name, and under the permissions tab, make sure that Block new public bucket policies is unchecked

enter image description here

Step 2

Then you can apply your bucket policy enter image description here

Hope that helps

22
votes

David, You are right but I found that, in addition to what bennie said below, you also have to grant view (or whatever access you want) to 'Authenticated Users'. enter image description here

But a better solution might be to edit the user's policy to just grant access to the bucket:

{
   "Statement": [
    {
      "Sid": "Stmt1350703615347",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": ["arn:aws:s3:::mybucket"],
      "Condition": {}
    }
  ]
}

The first block grants all S3 permissions to all elements within the bucket. The second block grants list permission on the bucket itself.

8
votes

Change resource arn:aws:s3:::bucketname/AWSLogs/123123123123/* to arn:aws:s3:::bucketname/* to have full rights to bucketname

4
votes

Use below method for uploading any file for public readable form using TransferUtility in Android.

transferUtility.upload(String bucketName, String key, File file, CannedAccessControlList cannedAcl)

Example

transferUtility.upload("MY_BUCKET_NAME", "FileName", your_file, CannedAccessControlList.PublicRead);
4
votes

for show website static in s3:

unckeched blocking bucket public

This is bucket policies:

{
  "Version":"2012-10-17",
  "Statement":[{
  "Sid":"PublicReadGetObject",
    "Effect":"Allow",
  "Principal": "*",
  "Action":["s3:GetObject"],
  "Resource":["arn:aws:s3:::example-bucket/*"
  ]
  }
]
}
2
votes

To clarify: It is really not documented well, but you need two access statements.

In addition to your statement that allows actions to resource "arn:aws:s3:::bucketname/AWSLogs/123123123123/*", you also need a second statement that allows ListBucket to "arn:aws:s3:::bucketname", because internally the Aws client will try to list the bucket to determine it exists before doing its action.

With the second statement, it should look like:

"Statement": [
    {
        "Sid": "someSID",
        "Action": "ActionThatYouMeantToAllow",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123123123123:user/myuid"
            ]
    },
    {
        "Sid": "someOtherSID",
        "Action": "ListBucket",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucketname",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123123123123:user/myuid"
            ]
    }
]

Note: If you're using IAM, skip the "Principal" part.

1
votes

Possible reason: if files have been put/copy by another AWS Account user then you can not access the file since still file owner is not you. The AWS account user who has been placed files in your directory has to grant access during a put or copy operation.

For a put operation, the object owner can run this command: 

aws s3api put-object --bucket destination_awsexamplebucket --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control

For a copy operation of a single object, the object owner can run one of these commands: 

aws s3api copy-object --bucket destination_awsexammplebucket --key source_awsexamplebucket/myobject --acl bucket-owner-full-control

ref : AWS Link

1
votes

Giving public access to Bucket to add policy is NOT A RIGHT way. This exposes your bucket to public even for a short amount of time.

You will face this error even if you are admin access (Root user will not face it) According to aws documentation you have to add "PutBucketPolicy" to you IAM user.

So Simply add a S3 Policy to you IAM User as in below screenshot , mention your Bucket ARN for make it safer and you don't have to make you bucket public again.

enter image description here

1
votes

If you have an encrypted bucket, you will need kms allowed.

-1
votes

Go to this link and generate a Policy. In the Principal field give *

In the Actions set the Get Objects

Give the ARN as arn:aws:s3:::<bucket_name>/*

Then add statement and then generate policy, you will get a JSON file and then just copy that file and paste it in the Bucket Policy.

For More Details go here.