- Newest
- Most votes
- Most comments
Thanks again. I was able to separate out the S3 permissions from the rest, but in order to put a wildcard on the S3 resource-id, I added a resource tag filter for the bucket per my organization's security requirements.
I have added this same resource tag/value to the S3 bucket resource in my Cloudformation template, and I think my syntax is correct (syntax verification passed at least), but I receive AccessDenied still on bucket creation within the CF stack. I've attached the new S3 policy items and CF template resource, in case there's something sticking out that I missed.
I can also attach the error event from CloudTrail if helpful.
Thanks again
{
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::*"
]
}
Resources:
IoTSitewiseExportToS3DestinationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Sub ${BucketName}
AccessControl: Private
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: "component"
Value: "sitewise_bridge"
Edited by: jf04145 on Nov 10, 2021 8:56 AM
Are you able to share you cloud formation template?
Happy for you to send me this as a private message if you don't want to share it on a public forum.
Also just to check, you are including the policy statement within the following JSON:
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
<<statement goes here>>
]
}
Thanks Tom - I will PM over my CF template and the policy in it's entirety if that works.
To your point, I am missing the ID entry in the policy, so I can definitely add that, have seen some other policies in my org that do not have it (for what it's worth).
Let me know if you don't see the message and I can resend (it appears to have sent but doesn't show in my sent messages yet)
Edited by: jf04145 on Nov 16, 2021 10:41 AM
Ok, I think I've identified the problem. You've applied a resource tag condition to the Bucket Creation, however tags wouldn't be applied until after a bucket is created. You need to separate out the create bucket, and don't apply a condition to it. Try this policy and let me know how you get on:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:Create*",
"s3:List*",
"s3:Get*",
"s3:Describe*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/component": [
"sitewise_bridge"
]
}
},
"Resource": [
"arn:aws:s3:::"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::"
]
}
Thanks, Tom, that looks to have resolved my issue, I'm able to create the bucket via my Cloudformation template now. I really appreciate the help digging into this.
The statement is correct, but you need to separate out the List Bucket and create bucket actions into another statement, as you need to apply a wild card for the resource-id part of the ARN. Add this to your statement and it should work. Worked for me when I tested it in the IAM Policy Simulator.
{
"Sid": "s3statement",
"Effect": "Allow",
"Action": \[
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": \[
"arn:aws:s3:::*"
]
}
Relevant content
- asked 4 years ago
- asked 4 years ago
- asked 22 days ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago