0

I'm trying to configure a Kinesis Firehose delivery stream to write files to S3. I've created the Firehose stream to use a role named att1.

This is the policy attached to att's configuration. I took the format from this page here https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3

I've validated the policy, but I'm not sure if it's correct.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:*",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3bucket",
                "arn:aws:s3:::s3bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:515766555555:key/cdee14ca-12b1-4790-9513-d007a3192f43"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-east-1.amazonaws.com"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::s3bucket*"
                }
            }
        }
    ]
}

Configuration has obviously been edited for privacy settings, but otherwise this is copied straight out of the policy

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
simplycoding
  • 2,770
  • 9
  • 46
  • 91
  • Pretty sure "s3:*" gives this policy full access, period. Maybe not what you want? – TheFiddlerWins Mar 01 '16 at 20:23
  • Yeah, that's what I thought, but everything in the data flow process is working until the write to S3. Just wanted to see if this policy definition was the issue or not – simplycoding Mar 01 '16 at 20:49

1 Answers1

0

I think your StringLike condition on the KMS key policy is wrong. The docs suggest this should actually be arn:aws:s3:::<s3bucket>/<prefix>*.

So if you've configured your firehose to write to bucket abc with prefix def, it should look like this:

"StringLike": {
    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::abc/def*"
}
ataylor
  • 64,891
  • 24
  • 161
  • 189
  • Good catch. I changed it to `abc` since I'm just placing these files at the root directory of the respective bucket, but still having same issues :( – simplycoding Mar 01 '16 at 20:51