1

I have 2 IAM Roles A & B that are assumed by 2 EC2 instances. I would like to grand role A access to ServerA/ key and all subkeys and objects in a S3 bucket.

I would like to to the same for Role B but give it access to only ServerB/ key and all subkeys and objects starting with that key

S3 bucket layout:

- SqlServerBackups/
    - ServerA/
    - DBAdmin/
        - DIFF/
        - backup1.bak
        - ..
        - FULL/
        - fullbackup1.bak
        - ..
    - ServerB/
    - DBAdmin/
        - DIFF/
        - backup1.bak
        - ..
        - FULL/
        - fullbackup1.bak
        - ..

When I try to perform this sync

aws s3 sync E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\ s3://bucketname/SqlServerBackups/ServerA/

operation from ServerA I am getting this error:

upload failed: E:\BACKUPS\VOL01\MSSQL15.MSSQLSERVER\MSSQL\Backup\OperatorData\LOG\OperatorData.trn to
s3://bucketname/SqlServerBackups/ServerA/OperatorData/LOG/OperatorData_LOG_20221011_111601.trn 
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

This is the custom IAM policy attached to ServerA EC2 :

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:AbortMultipartUpload"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/ServerA/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

What am I missing here? My policy seems to be causing the issue but I am not sure what permissions I am missing to fix the issue.

Georgi Koemdzhiev
  • 11,421
  • 18
  • 62
  • 126

1 Answers1

2

Try this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<<bucketname>>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "ServerB/*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::<<bucketname>>/ServerB/*"
        }
    ]
}
baduker
  • 19,152
  • 9
  • 33
  • 56
  • 1
    Thank you for your answer. It helped me spot a mistake in my policy, I forgot that my `s3` bucket contained a root key called `SqlServerBackups` (I have updated my s3 bucket layout in my question. After pretending that key using your suggested policy, I was able to run the `sync` command fine. Thank you :) – Georgi Koemdzhiev Oct 11 '22 at 10:54