Home > Software engineering >  Unable to restric IAM Role to a specific key and subkeys in S3 (getting AccessDenied)
Unable to restric IAM Role to a specific key and subkeys in S3 (getting AccessDenied)

Time:10-11

I have 2 IAM Roles A & B that are assumed by 2 EC2 instances. I would like to grand role A access to ServerA/ key and all subkeys and objects in a S3 bucket.

I would like to to the same for Role B but give it access to only ServerB/ key and all subkeys and objects starting with that key

S3 bucket layout:

- SqlServerBackups/
    - ServerA/
    - DBAdmin/
        - DIFF/
        - backup1.bak
        - ..
        - FULL/
        - fullbackup1.bak
        - ..
    - ServerB/
    - DBAdmin/
        - DIFF/
        - backup1.bak
        - ..
        - FULL/
        - fullbackup1.bak
        - ..

When I try to perform this sync

aws s3 sync E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\ s3://bucketname/SqlServerBackups/ServerA/

operation from ServerA I am getting this error:

upload failed: E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\OperatorData\LOG\OperatorData.trn to
s3://bucketname/SqlServerBackups/ServerA/OperatorData/LOG/OperatorData_LOG_20221011_111601.trn 
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

This is the custom IAM policy attached to ServerA EC2 :

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:AbortMultipartUpload"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/ServerA/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

What am I missing here? My policy seems to be causing the issue but I am not sure what permissions I am missing to fix the issue.

CodePudding user response:

Try this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<<bucketname>>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "ServerB/*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::<<bucketname>>/ServerB/*"
        }
    ]
}
  • Related