Cross-Account IAM Access Denied with GUI Client, but permitted via CLI

0
votes

I am stuck with provisioning end-user access into a cross account shared bucket, and need help figuring out if there are specific policy requirements for using clients to access the bucket, vs straight CLI.

IAM User Accounts are managed in our "Core" AWS Account. S3 Bucket is provisioned in our "Dev" AWS Account. S3 Bucket in Dev account is encrypted with KMS key in Dev Account.

We have configured our Bucket Policy to permit the user access. We have configured user policies to permit access to the S3 bucket. We have configured user policies to permit use of the KMS key.

When using the CLI our user account can succesfully access and use the S3 bucket. When attempting to connect with a GUI Client (Win-SCP, CyberDuck, MAC ForkLift) we receive permission denied errors.

BUCKET POLICY

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::[DEVACCOUNT#]:role/EC2-ROLE-FOR-APP-ACCESS",
                    "arn:aws:iam::[COREACCOUNT#]:user/end.user"
                ]
            },
            "Action": "s3:List*",
            "Resource": [
                "arn:aws:s3:::dev-mybucket",
                "arn:aws:s3:::dev-mybucket/*"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::[DEVACCOUNT#]:role/EC2-ROLE-FOR-APP-ACCESS",
                    "arn:aws:iam::[COREACCOUNT#]:user/end.user"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:Put*"
            ],
            "Resource": "arn:aws:s3:::dev-mybucket/*"
        }
    ]
}

User Policy - access KMS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfDevAPPSKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": [
                "arn:aws:kms:ca-central-1:[DEVACCOUNT#]:key/[redacted-key-number]"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:List*",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:ca-central-1:[DEVACCOUNT#]:key/[redacted-key-number]"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

User policy - Access S3 Bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToMyBucket",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::dev-mybucket/",
                "arn:aws:s3:::dev-mybucket/*"
            ]
        }
    ]

}

From aws s3 commands we can 'ls' content and 'cp' content from local to remote and from remote to local.

When configuring access with the GUI Clients we always receive somewhat generic 'permission denied' or 'access denied' type errors.

1
amazon-web-servicesamazon-s3

1 Answers

0
votes

The GUI client is probably making a call that is not List*, Put* or GetObject.

For example, it might be calling GetObjectVersion, GetObjectAcl or GetBucketAcl.

Try adding Get* permissions in addition to List*.

You might also be able to look at the events in your AWS CloudTrail trail to see what specific API calls were denied.

For details, see: Specifying Permissions in a Policy - Amazon Simple Storage Service