Amazon Bucket Policy Failure

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #86782
    Wayne
    Participant

    Hi,

    I’m following the script here: https://updraftplus.com/faqs/what-settings-should-i-use-for-amazon-s3-and-how-should-i-configure-my-amazon-s3-account/ and using the policy provided, I’m getting a “Statement is missing required element – Statement “NO_ID-1” is missing “Principal” element” error. Was wondering if something has changed, but I’m not finding much out there on this error. I’ve used this for over 10 different site backups, but it’s been over a year since I’ve had to set another up.

    Here is the statement I’m trying to apply:

    {
    “Statement”: [
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:ListBucket”,
    “s3:GetBucketLocation”,
    “s3:ListBucketMultipartUploads”
    ],
    “Resource”: “arn:aws:s3:::website-backup-mywebsite.com”
    },
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:AbortMultipartUpload”,
    “s3:GetObject”,
    “s3:GetObjectAcl”,
    “s3:GetObjectVersion”,
    “s3:GetObjectVersionAcl”,
    “s3:PutObject”,
    “s3:PutObjectAcl”,
    “s3:PutObjectAclVersion”
    ],
    “Resource”: “arn:aws:s3:::website-backup-mywebsite.com/*”
    },
    {
    “Effect”: “Allow”,
    “Action”: “s3:ListAllMyBuckets”,
    “Resource”: “*”
    }
    ]
    }

    Any love?

    #86787
    Wayne
    Participant

    Interesting. Using this: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html I was able to modify it to the following to get it to work. Dropped the last “ListAllMyBuckets” statement, removed s3:PutObjectVersion, and added in some additional elements.

    {
    “Version”: “2012-10-17”,
    “Id”: “123”,
    “Statement”: [
    {
    “Sid”: “”,
    “Effect”: “Allow”,
    “Principal”: “*”,
    “Action”: [
    “s3:ListBucket”,
    “s3:GetBucketLocation”,
    “s3:ListBucketMultipartUploads”
    ],
    “Resource”: “arn:aws:s3:::website-backup-mywebsite.com”
    },
    {
    “Sid”: “”,
    “Effect”: “Allow”,
    “Principal”: “*”,
    “Action”: [
    “s3:AbortMultipartUpload”,
    “s3:GetObject”,
    “s3:GetObjectAcl”,
    “s3:GetObjectVersion”,
    “s3:GetObjectVersionAcl”,
    “s3:PutObject”,
    “s3:PutObjectAcl”
    ],
    “Resource”: “arn:aws:s3:::website-backup-mywebsite.com/*”
    }
    ]
    }

    #86994
    udadmin
    Keymaster

    Hi Wayne,

    Thanks for the report. Have you confused a user policy with a bucket policy? The one on the UD FAQ page is a user policy, restricting what an Amazon IAM user can do; it sounds like you’ve pasted a bucket policy, restricting what can be done on a specific bucket – ?

    Best wishes,
    David

    #87218
    Wayne
    Participant

    OMG

    you’re absolutely right. *facepalm*

    Thanks!

    #87220
    udadmin
    Keymaster

    We’ve all done worse!

    You may want to set up a user policy – additionally, if not instead – as this protects your other AWS resources against someone stealing your AWS keys from the website, if the website ever gets hacked.

    David

    #87228
    Wayne
    Participant

    That’s what I was doing originally, when I was rolling this out to all my sites. Each site gets it’s own user. It’s just been a while since I’ve needed to set this up again.

    This time, I’m creating an Evernote entry for myself. lol

    Love the tool. Best one in my collection that I use with every site I develop.

    Wayne

Viewing 6 posts - 1 through 6 (of 6 total)
  • The topic ‘Amazon Bucket Policy Failure’ is closed to new replies.