0

My goal is to copy the data from a set of s3 buckets into main logging account bucket. Every time I try to perform:

aws s3 cp s3://sub-account-cloudtrail s3://master-acccount-cloudtrail --profile=admin;

I get

(AccessDenied) when calling the CopyObject operation: Access Denied`

I've looked at this post: How to fix AccessDenied calling CopyObject

I am trying to add the bucket permissions to a Terraform data aws_iam_policy_document. The statement is written like so

data aws_iam_policy_document s3 {
  version    = "2012-10-17"
  
  statement {
    sid = "CopyOobjectPermissions"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ops-mgmt-admin"]
    }
    actions   = ["s3:GetObject","s3:PutObject","s3:PutObjectAcl"]
    resources = ["${aws_s3_bucket.nfcisbenchmark_cloudtrail.arn}/*"]
  }

  statement {
    sid = "CopyBucketPermissions"
    actions = ["s3:ListBucket"]
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ops-mgmt-admin"]
    }
    resources = ["${aws_s3_bucket.nfcisbenchmark_cloudtrail.arn}/*"]
  }

}

My goal is to restrict the permissions to the role that is assumed from the sub-account to the master account. My specific question is what permissions need to be added in order to enable copy permissions?

Expected: Terraform plan runs successfully

Actual:

│ Error: Error putting S3 policy: MalformedPolicy: Action does not apply to any resource(s) in statement

How can I resolve this?

halfer
  • 19,824
  • 17
  • 99
  • 186
Evan Gertis
  • 1,796
  • 2
  • 25
  • 59

1 Answers1

0

Two things to mention:

  1. In your second statement the resource is wrong, this is why you get the MalformedPolicy error. It should be:
resources = [aws_s3_bucket.nfcisbenchmark_cloudtrail.arn]
  1. Be careful with the identifier. At this point I'm not really sure if your buckets are in different accounts or not. If they are, the account_id in the identifier should reference the source account. data.aws_caller_identity.current.account_id returns the account ID to which Terraform is authenticated, which usually is the account where you are deploying resources (destination account). If your are not doing cross account copying, than it should be fine as it is.

Furthermore, in case of cross account access, ops-mgmt-admin role should have a policy applied to it which gives access to get/list/upload objects to an S3 bucket.

Ervin Szilagyi
  • 14,274
  • 2
  • 25
  • 40