Permissions needed to run "aws sync" command

Question

I am trying to limit access of an IAM user to only 3 buckets.I'm working to create an IAM policy on AWS that enables the IAM user to sync files onto and from AWS S3. I have written the following policy out but every time I run an aws sync command to sync a folder on the desktop with the bucket my policy allows access to, the terminal seems to get stuck without outputting any response or completing the process. Any ideas on what permissions might be missing for the same?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::bucket-1",
            "arn:aws:s3:::bucket-2",
            "arn:aws:s3:::bucket-3"
        ]
    }
]

}

It looks like already started syncing your data . Did you see any files in the destination while the screen is stuck? — Prabhakar Reddy, Aug 07 '20 at 02:44
Put Object and Get object apply to objects, not buckets. Your policy only includes buckets. — Marcin, Aug 07 '20 at 02:57
Being "stuck without outputting any response" does not seem like the behaviour that would be caused by incorrect permissions. Does it work if the IAM User has (temporarily) all S3 permissions for the bucket? — John Rotenstein, Aug 07 '20 at 03:30
@PrabhakarReddy Thank you for your suggestion there, I did double check and the destination had received no files — Viv, Aug 07 '20 at 04:01

score 1 · Answer 1 · answered Aug 07 '20 at 03:32

1

Some S3 commands require permissions at the bucket-level, and others require it at the object-level.

The easiest way to remedy this is to specify both.

Try this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-2",
                "arn:aws:s3:::bucket-3",
                "arn:aws:s3:::bucket-1/*",
                "arn:aws:s3:::bucket-2/*",
                "arn:aws:s3:::bucket-3/*"
            ]
        }
    ]
}

answered Aug 07 '20 at 03:32

John Rotenstein

241,921
22
380
470

Thank you for the tip! I understand the motivation here, we are trying to make sure that the permissions apply to the object within the bucket as well. Unfortunately, the change has no effect on the issue. I have gone ahead and changed the "Action" to "s3:*" to make sure that all permissions are being granted for the buckets of interest - and it still has the same behavior. I'm thinking it has something to do on the bucket side? – Viv Aug 07 '20 at 05:28
If you wish to identify all the API calls made by the `sync` command, I suggest you run the command and then look in AWS CloudTrail to view the API calls that were actually received. For example, there might be additional calls such as `PutObjectACL`. – John Rotenstein Aug 07 '20 at 05:54

score 0 · Answer 2 · answered Aug 07 '20 at 04:02

I'm not sure if you are attempting to write IAM policy or bucket policy? If the later. In either case you are missing object-level permissions. For bucket bucket policy you are also missing principals.

You could also separate the statements for objects or buckets. Below is an example of bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:user/a_user"
             },            
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-2",
                "arn:aws:s3:::bucket-3"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxx:user/a_user"
             },            
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1/*",
                "arn:aws:s3:::bucket-2/*",
                "arn:aws:s3:::bucket-3/*"
            ]
        }   
    ]
}

Thank you for pointing me in this direction! I am basically trying to limit access of this IAM user to just these 3 buckets. My understanding is that in order to do that, I need to create an IAM policy with buckets and access parameters specified and that is what I was attempting to do. Would I also need to create bucket policies like above to fulfil the goal here? — Viv, Aug 07 '20 at 05:58
@Viv IAM policy would be better in your case. There is no need for bucket policy if you want to use IAM policies. From original question I wasn't clear what exactly your aim was. — Marcin, Aug 07 '20 at 06:00
edit made in the question. Thank you. The "Principle" is not required in the IAM policy then, correct? — Viv, Aug 07 '20 at 06:04
@Viv Correct. Principle is implicitly defined when you attach the policy to your IAM user. — Marcin, Aug 07 '20 at 06:08

Permissions needed to run "aws sync" command

2 Answers2