What AWS IAM role policies do I need to write files to S3?

0
votes

I'm trying to configure a Kinesis Firehose delivery stream to write files to S3. I've created the Firehose stream to use a role named att1.

This is the policy attached to att's configuration. I took the format from this page here https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3

I've validated the policy, but I'm not sure if it's correct.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:*",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3bucket",
                "arn:aws:s3:::s3bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:515766555555:key/cdee14ca-12b1-4790-9513-d007a3192f43"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-east-1.amazonaws.com"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::s3bucket*"
                }
            }
        }
    ]
}

Configuration has obviously been edited for privacy settings, but otherwise this is copied straight out of the policy

1
amazon-web-servicesamazon-s3amazon-iamamazon-kinesis-firehose
Pretty sure "s3:*" gives this policy full access, period. Maybe not what you want?TheFiddlerWins
Yeah, that's what I thought, but everything in the data flow process is working until the write to S3. Just wanted to see if this policy definition was the issue or notsimplycoding

1 Answers

0
votes

I think your StringLike condition on the KMS key policy is wrong. The docs suggest this should actually be arn:aws:s3:::<s3bucket>/<prefix>*.

So if you've configured your firehose to write to bucket abc with prefix def, it should look like this:

"StringLike": {
    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::abc/def*"
}