Not Able To Create a New Bucket - Policy Permissions Appear Correct

0

Hello,

I wanted to see if someone could point me in the right direction towards an AccessDenied error that I receive when creating a new Bucket via the CLI (I am not able to create via the web GUI, as that is not allowed for this account via my company's IT policy).

I do not seem to get any more specific info, other than CLI output of " An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied ". I receive this same error, whether I create directly via the commands s3 mb or s3api, or create as part of a cloudformation template (the stack create fails once this happens).

Checking Cloudtrail event logs, I confirmed that the correct role is being passed through the CLI, that I think should have more than sufficient permissions in its policy (listed at the bottom). Cloudtrail does not appear to show any other error details outside of "Access Denied".

Wanted to see if there may be an action or resource type that I may be missing generally to create a bucket?

Thanks,
Justin

{
"Effect": "Allow",
"Action": [
"cloudformation:",
"logs:
",
"s3:",
"kms:
"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/devops*",
"arn:aws:cloudformation:us-east-1:ACCOUNT_NUMBER_HERE:stack/IoT-Sitewise*",
"arn:aws:logs:us-east-1:ACCOUNT_NUMBER_HERE:log-group:/aws/",
"arn:aws:s3:::bucket
",
"arn:aws:s3:::${BucketName}",
"arn:aws:s3:::AccountPublicAccessBlock*",
"arn:aws:s3:::object*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3*",
"arn:aws:s3:::ACCOUNT_NUMBER_HERE-sitewises3/",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:key
",
"arn:aws:kms:us-east-1:ACCOUNT_NUMBER_HERE:alias*"
]
}

Edited by: jf04145 on Nov 5, 2021 12:26 PM

jf04145
질문됨 3년 전2167회 조회
9개 답변
0

Gotcha, thanks, I will give that a try

jf04145
답변함 3년 전
0

Thanks again. I was able to separate out the S3 permissions from the rest, but in order to put a wildcard on the S3 resource-id, I added a resource tag filter for the bucket per my organization's security requirements.

I have added this same resource tag/value to the S3 bucket resource in my Cloudformation template, and I think my syntax is correct (syntax verification passed at least), but I receive AccessDenied still on bucket creation within the CF stack. I've attached the new S3 policy items and CF template resource, in case there's something sticking out that I missed.

I can also attach the error event from CloudTrail if helpful.

Thanks again

{
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::*"
]
}

Resources:
IoTSitewiseExportToS3DestinationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Sub ${BucketName}
AccessControl: Private
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: "component"
Value: "sitewise_bridge"

Edited by: jf04145 on Nov 10, 2021 8:56 AM

jf04145
답변함 3년 전
0

Are you able to share you cloud formation template?
Happy for you to send me this as a private message if you don't want to share it on a public forum.

Also just to check, you are including the policy statement within the following JSON:
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
<<statement goes here>>
]
}

답변함 3년 전
0

Thanks Tom - I will PM over my CF template and the policy in it's entirety if that works.

To your point, I am missing the ID entry in the policy, so I can definitely add that, have seen some other policies in my org that do not have it (for what it's worth).

Let me know if you don't see the message and I can resend (it appears to have sent but doesn't show in my sent messages yet)

Edited by: jf04145 on Nov 16, 2021 10:41 AM

jf04145
답변함 3년 전
0

Ok, I think I've identified the problem. You've applied a resource tag condition to the Bucket Creation, however tags wouldn't be applied until after a bucket is created. You need to separate out the create bucket, and don't apply a condition to it. Try this policy and let me know how you get on:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::
"
]
}

답변함 3년 전
0

Thanks a bunch Tom, I will give that a try and report back.

jf04145
답변함 3년 전
0

repost

Edited by: jf04145 on Nov 24, 2021 10:39 AM

jf04145
답변함 3년 전
0

Thanks, Tom, that looks to have resolved my issue, I'm able to create the bucket via my Cloudformation template now. I really appreciate the help digging into this.

jf04145
답변함 3년 전
-1

The statement is correct, but you need to separate out the List Bucket and create bucket actions into another statement, as you need to apply a wild card for the resource-id part of the ARN. Add this to your statement and it should work. Worked for me when I tested it in the IAM Policy Simulator.

    {  
        "Sid": "s3statement",  
        "Effect": "Allow",  
        "Action": \[  
            "s3:CreateBucket",  
            "s3:ListAllMyBuckets",  
            "s3:GetBucketLocation"  
        ],  
        "Resource": \[  
            "arn:aws:s3:::*"  
        ]  
    }
답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠