0

I have a lambda found in the destination account that copies s3 objects from source_A to destination_B.

For the source bucket I have attached the permissions

{ ## permission for source bucket
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::destination_B:root"
            },
            "Action": "s3:*" ## Also I have tried s3:Get* and s3:List*,
            "Resource": [
                "arn:aws:s3:::source_A",
                "arn:aws:s3:::source_A/*"
            ]
        }
    ]
}

For the destination lambda function, I have attached a policy which is also fairly simple and nothing complex here, and have changed the bucket ownership.

{
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source_A",
                "arn:aws:s3:::source_A/*",
                "arn:aws:s3:::destination_B",
                "arn:aws:s3:::destination_B/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

I know this question has been asked before but I am unable to locate the mistake. Likely is going to be very small in some policy or permission. Even giving '*' permission doesn't solve the issue.

A small hint would be great. Thanks

zafar
  • 129
  • 1
  • 4
  • I suspect that it is due to the `head_object` command not accepting an `s3:x-amz-acl` condition. If you remove that condition, does it work? If your goal in having that condition is to force object ownership in the destination bucket, then instead **consider disabling ACLs on the bucket** ("Bucket owner enforced"). See: [Controlling ownership of objects and disabling ACLs for your bucket - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) – John Rotenstein Mar 04 '23 at 06:01
  • Actually, even without it, it doesn't work. – zafar Mar 04 '23 at 06:07
  • Can you check Cloudtrail and see what's the exact error logged? – Pratik Mar 04 '23 at 06:33
  • Can you try the following "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "[AccountB]" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:[Region]:[AccountB]:*" } } – Sri Mar 04 '23 at 06:36
  • Is it the same result when you try CopyObject? (I presume you only tried head_object as a test.) Can you also try changing the source bucket Principal to point to the ARN of the Lambda function's IAM Role? Oh, and can you please be specific and tell us which bucket you were trying to head_object to? – John Rotenstein Mar 04 '23 at 08:03
  • @JohnRotenstein I have solved the issue. So there was nothing wrong with the policy and permissions I could transfer files with the extensions (.txt, .json, and .csv). However, the media files with extensions (.wav and .png, .etc. ) gives headObject 404 or CopyObject permission denied errorss – zafar Mar 07 '23 at 08:14
  • 1
    This is most unusual! Amazon S3 does not care about the content or type of objects. There must be some configuration somewhere that is causing this behaviour (or something strange in your code). Anyway, glad to know you solved it! If you have a solution that future readers can use, you are welcome to create your own Answer. – John Rotenstein Mar 07 '23 at 20:47

0 Answers0