0

S3 bucket in account A has below policy

sid:whitelistIp
Effect: Deny
Principal: *
Resource : 
   arn:aws:s3:::my-s3
   arn:aws:s3:::my-s3/*
Condition 
  NotIpaddress
     awsSourceIP
          [  list of Ips ]

  StringsNotEqual 
     awsourcevpce 
           [ List of VpceIds ]

Sid: DenyNonSSLTraffic
Effect: Deny
Principal: *
Resource : 
   arn:aws:s3:::my-s3
Condition 
  Bool
   "aws:secureTransport": "false"

Sid: AllowspecificIamRoles
Effect: Allow
Principal: *
Action:
   s3:ListBucket
   s3:DeleteObject
   s3:GetObject
   s3:PutObject
Resource : 
   arn:aws:s3:::my-s3
   arn:aws:s3:::my-s3/*
Condition:
StringsLike:
  awsuserId: [ List of userIds ]

Now from Account B I am trying to read objects from lambda function.

s3_client.list_objects() This methods works

But when i use s3_client.download_file() this gives me Access Denied error

I have verified Lambda has sufficient permissions to read from S3.

Also one Question if i give bucket policy do still i have to specify ACL for cross account access?

AWS_Lernar
  • 627
  • 2
  • 9
  • 26
  • Please fix indentation in your code. – Marcin Oct 07 '21 at 03:33
  • @Marcin There is no issue with indentation i cannot directly copy and hence cannot put the exact code.But the conditions are same. – AWS_Lernar Oct 07 '21 at 03:34
  • Looks similar https://stackoverflow.com/q/33569045/495455 – Jeremy Thompson Oct 07 '21 at 03:40
  • @JeremyThompson I have verified answers given there but no luck.Also in my case ```s3_client.list_objects()``` method is working – AWS_Lernar Oct 07 '21 at 04:04
  • Your question is not clear. There are many issues, such as there is no such thing as `awssecureTransport`. What exactly do you want to accomplish? – Marcin Oct 07 '21 at 04:30
  • @Marcin In bucket policy we can specify ```aws:secureTransport": "false"``` which means it it will deny non Https traffic – AWS_Lernar Oct 07 '21 at 04:49
  • @AWS_Lernar I know, but the point is that what you posted is incorrectly formatted with strange values and strings. What is `arn-of-s3 and arn-of-s3/*`? No one knows if the issues are due to mistakes in SO post, or your actual policy due to this. – Marcin Oct 07 '21 at 04:50
  • @Marcin Apologies for posting like this but unfortunately i cannot post the actual policy. – AWS_Lernar Oct 07 '21 at 04:52
  • @Marcin I have corrected arns in the post – AWS_Lernar Oct 07 '21 at 04:58

1 Answers1

0

if your lambda function run into vpc then you have to create one endpoint to access s3

create s3 endpoint for vpc from vpc dashboard

select s3 gateway and attach your vpc

add endpoint routes to your route table.

Now you can read your s3 object.

Ayush Shah
  • 29
  • 4