2

Mobile phones can upload their content to our s3 bucket under an IAM user correctly using the below bucket policy

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}

I would like to follow best practises and allow federated users to upload from mobile to this bucket. How would I adjust the policy? I can currently create the federated user creds, but cant get it to upload correctly. This policy failed to save

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Action": [
                "sts:GetFederationToken"
            ],
            "Sid": "redacted",
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}
minuteman3
  • 393
  • 1
  • 7
Vinny Glennon
  • 149
  • 1
  • 13
  • This is very old, but a few comments for passer-bys. What are the permissions on the bucket? Also, do users that *create* the federated users have permission on the bucket? One (sane) constraint with federated users is that they cannot get *more* permissions than the user that creates them. – Eric Platon Mar 16 '16 at 01:31

1 Answers1

0

I am having the same situation; Where I need some users to upload files at a particular bucket and some users to be download data from some buckets;

I am planning to have a lambda function which will request access on behalf of the user to read/write from specific buckets and provide the files to them locally. I am not sure if this is one of the best practices;

I will provide security around how the lambda function will be called.

DataGuru
  • 757
  • 7
  • 17