0

I have server S3 buckets belonging to different clients. I am using AWS SDK for PHP in my application to upload photos to the S3 bucket. I am using the AWS SDK for Laravel 4 to be exact but I don't think the issue is with this specific implementation.

The problem is unless I give the AWS user my server is using the FullS3Access it will not upload photos to the bucket. It will say Access Denied! I have tried first with only giving full access to the bucket in question, then I realized I should add the ability to list all buckets because that is probably what the SDK tries to do to confirm the credentials but still no luck. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::clientbucket"
            ]
        }
    ]
}

It is a big security concern for me that this application has access to all S3 buckets to work.

Neo
  • 11,078
  • 2
  • 68
  • 79
  • The PHP SDK just sends the requests signed with the credentials you give it. If you are getting access denied errors, then it is a permissions problem, and has nothing to do with the SDK. – Jeremy Lindblom Apr 23 '15 at 20:27

1 Answers1

0

Jeremy is right, it's permissions-related and not specific to the SDK, so far as I can see here. You should certainly be able to scope your IAM policy down to just what you need here -- we limit access to buckets by varying degrees often, and it's just an issue of getting the policy right.

You may want to try using the AWS Policy Simulator from within your account. (That link will take you to an overview, the simulator itself is here.) The policy generator is also helpful a lot of the time.

As for the specific policy above, I think you can drop the second statement and merge with the last one (the one that is scoped to your specific bucket) may benefit from some * statements since that may be what's causing the issue:

"Action": [
    "s3:Delete*",
    "s3:Get*",
    "s3:List*",
    "s3:Put*"
]

That basically gives super powers to this account, but only for the one bucket.

I would also recommend creating an IAM server role if you're using a dedicated instance for this application/client. That will make things even easier in the future.

Neal Magee
  • 1,642
  • 18
  • 28