Understanding IAM policies

Question

I recently ran into a problem with IAM policies while using Code-Build. And I am trying to understand the difference between the following 2 policies and check if there are any security implications of using version 2 over version 1.

Version 1 doesn't work, so I decided to go with version 2. But why does version 2 work and why doesn't version 1 doesn't work?

Version 1 only gives access to the CodePipeline resource and allows to read and write to S3 bucket object.

However Version 2 gives access to all S3 buckets, doesn't it? Would this be considered a security loophole?

Version 1

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        }
    ]
}

Version 2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build",
                "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Backend-API-Build:*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-ap-southeast-1-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
    ]
}

Yes, that rule is too permissive. It is possible that the system merely needs ListObjects permission on the bucket to obtain a listing of objects. You could try adding that to Version 1 (Action: s3:ListsObjects) and see whether that helps. — John Rotenstein

Yash Bindlish Yash Bindlish · Accepted Answer · 2018-12-16T06:25:41

I have replicated the scenario by giving the restricted access to specific S3 Bucket.

Block 1: Allow required Amazon S3 console permissions Here i have granted CodePipeline to list all the buckets in the AWS account.

Block 2: Allow listing objects in root folders here my S3 Bucket Name is "aws-codestar-us-east-1-493865049436-larvel-test-pipe"

but i am surprised as when i followed the Steps from Creating CodePipeline to Create Build from the same Pipeline Console itself, i had got the same policy as your version 1 and it executed as well. However, as a next step, i gave a specific permission to a bucket in S3 as given below policy and it has worked. So in your version two rather than granting all permission to your resources Resource": "*" you can restrict a permission to a bucket only specific as described in below sample policy

{
   "Version": "2012-10-17",
   "Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1",
            "arn:aws:logs:us-east-1:493865049436:log-group:/aws/codebuild/larvel-test1:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-us-east-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::aws-codestar-us-east-1-493865049436-larvel-test-pipe/*" 
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]
}

Understanding IAM policies

1 Answers