Error importing a file to an S3 bucket
What number of years have I been writing S3 bucket insurance policies and IAM insurance policies? A minimum of 10. I’d wish to suppose I’m a midway respectable programmer, although I understand I’ve been doing this manner too lengthy and never as fast as I was. However that’s the place expertise is meant to kick in, proper?
I nonetheless suppose programming is enjoyable however typically, however once I hit the identical non-obvious error messages again and again and I believe, there should be a greater method. I’ve usually thought of writing a greater IAM and useful resource coverage generator since AWS doesn’t have excellent choices. I’m utilizing the IAM coverage generator now and it’s not working. I’ve customary bucket insurance policies I’ve used for years however I’m attempting to do one thing totally different right here so I’ve been testing with the visible editor, with plans to additional automate.
You need to know that if I’m nonetheless having issues each time I write an S3 bucket coverage, learners are actually struggling. And this is the reason we have now safety issues and lax safety with regards to useful resource and IAM insurance policies. It’s laborious. Too laborious. Individuals can’t determine what’s flawed so that they open up one factor after the opposite — and go away it that method.
For networking, I wrote a instrument to assist individuals determine what ports their software requires. Cloud suppliers can present higher error messages and pattern zero-trust insurance policies to assist individuals get issues achieved extra simply.
~~~~~~~~
However I digress.
~~~~~~~~
So I’ve a coverage presently that permits a rule PutObject permissions to a selected bucket and it isn’t working. Let’s determine this out. I did one thing flawed.
For testing functions I’m beginning with IAM solely and no bucket coverage, so the IAM function is the one factor inflicting my entry to fail. Let’s have a look.
In my coverage I’ve one s3 assertion that permits all learn and listing actions on any bucket. I attempted to limit that with situations similar to MFA, IP deal with, and a selected OU however as famous in a previous submit, none of these are working so that they don’t exist right here:
My coverage also needs to enable all learn and listing entry to native buckets together with the cross-account buckets which can be working.
Subsequent I added the PutObject permission to a selected bucket in my account. Welp. That’s not working. Let’s revisit that coverage.
Oh that’s proper. I simply clicked *all* write actions since I already had all learn and get for all S3 assets and right here’s what the visible editor created:
"Sid": "VisualEditor3",
"Impact": "Permit",
"Motion": [
"s3:PutAnalyticsConfiguration",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:RestoreObject",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteBucketWebsite",
"s3:AbortMultipartUpload",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutIntelligentTieringConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutReplicationConfiguration",
"s3:PutObjectLegalHold",
"s3:InitiateReplication",
"s3:PutBucketCORS",
"s3:PutInventoryConfiguration",
"s3:PutObject",
"s3:PutBucketNotification",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:PutBucketLogging",
"s3:PutBucketObjectLockConfiguration",
"s3:ReplicateDelete"
],
"Useful resource": [
"arn:aws:s3:::my.bucket/*",
"arn:aws:s3:::my.bucket"
]
}
Be aware that I added the 2 variations of assets for the bucket or any object within the bucket. That’s as a result of it’s annoying to attempt to keep in mind which actions apply to a bucket or an object and write a number of hard-to-read, convoluted statements. Is that inflicting my drawback? As a result of this could enable all learn entry to the bucket and the opposite coverage ought to enable all write entry.
However only for sanity functions I’ll simply enable all actions on this bucket and see what occurs. BTW that’s not he actual bucket identify.
Alright I give.
S3.*
It nonetheless doesn’t work. I’ve s3* to * assets.
Situations and MFA
As with my final submit I’ve MFA required on the KMS portion of the coverage and MFA doesn’t present up for assume function in CloudTrail so let’s take away that.
I’ve confirmed you’ll be able to’t use these situations with assumed roles.
Encryption and KMS Keys
The one different factor I can consider, is that the issue has to do with the KMS key assigned to the bucket. That’s not what the error message says, nevertheless. You’ll count on — or no less than hope — that the error message could be extra particular that this if it have been a KMS key problem. I imagine I granted entry to the important thing however let’s simply take away encryption.
And Lastly. It really works.
Now, that is *not* the place I’m going to cease. Should you’re a developer don’t simply cease whenever you get issues working. Determine why they don’t seem to be working and repair it — and if it’s a bug or function request shoot that over to AWS a technique or one other. You possibly can tweet it out on Twitter with the hash tag #AWSWishList and somebody will in all probability get your request over to the suitable AWS crew.
On this case I do know that my drawback is expounded to one of many KMS error messages I wrote about earlier than on this weblog.
- Examine the KMS Key coverage and ensure my function is allowed to make use of the important thing.
- Examine my IAM Permissions and ensure the IAM consumer is allowed to make use of KMS for that key.
Oops. I forgot so as to add customers to my KMS Key coverage. I may have sworn I did that, however like I mentioned I’ve been doing this far too lengthy. That’s why I’m going to automate…every little thing. I’m simply testing out the plan for the time being. For now, I’ll add the function to the customers listing on the KMS key and add it again to the bucket and I must be good to go.
Oh…dangle on…I’ve allowed permission by means of one other account on the backside of the important thing coverage display. Although I would favor so as to add a selected function I solely have my report builder in that account so I assume it’s OK.
Let’s verify the IAM coverage…
Teri Radichel — Observe me @teriradichel on Twitter
© 2nd Sight Lab 2022
____________________________________________
About this weblog:
Need to be taught extra about Cybersecurity and Cloud Safety? Take a look at: Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts