hashnao's Blog: s3

Thursday, August 7, 2014

Failed Access Denied: S3 properties on us-east-1 region

When I created s3 buckets at each regions including us-east-1, us-west1, us-west-2, and ap-northeast-1 and applied the IAM policies below to a IAM group. I got some of the properties of other than us-east-1 region somehow.
I created an IAM group and attached two IAM policies with the group.


IAM policy to define the buckets to operate and access source IP address.

{
  "Statement": [
    {
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "xxx.xxx.xxx.xxx/32",
            "xxx.xxx.xxx.xxx/32"
          ]
        }
      },
      "Resource": [
        "arn:aws:s3:::bucket_name.ap-northeast-1",
        "arn:aws:s3:::bucket_name.ap-northeast-1/*",
        "arn:aws:s3:::bucket_name.us-west-1",
        "arn:aws:s3:::bucket_name.us-west-1/*",
        "arn:aws:s3:::bucket_name.us-west-1",
        "arn:aws:s3:::bucket_name.us-west-1/*",
        "arn:aws:s3:::bucket_name.us-west-2",
        "arn:aws:s3:::bucket_name.us-west-2/*"
      ],
      "Action": "s3:*",
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

IAM policy to list all the buckets for a s3 tool like S3 Browser

{
  "Statement": [
    {
      "Resource": "*",
      "Action": "s3:List*",
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

I got the properties of us-west-1, us-west-2, ap-northeast-1, but couldn't get those of us-east-1, though the same IAM policies are applied.

I successfully got the properties of us-east-1 after adding the action as follows.

{
  "Statement": [
    {
      "Resource": "*",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

I am wondering if us-east-1 (US standard) region is different from other regions in how to apply IAM policy because it is the 1st region of AWS???

Wednesday, June 11, 2014

AWS CLI memorandum - Delete S3 Buckets and all of the objects simultaneously

When we put some objects into S3 bucket to verify or validate a CloudFormation stack by uploading a template to S3 bucket, the buckets store thousands of objects that I don't have to keep anymore and we sometimes have to pay too much cost for that after receiving the billing.

Why don't we delete all of the objects and buckets simultaneously or you should consider of using Object Lifecycle Management in advance to automatically delete the objects that has been expired.

* List the buckets you want to remove and input them into a file

$ aws s3api list-buckets | jq -r '.Buckets[] | .Name' | egrep 'bucket-name-[1-3]' | tee bucket.txt
bucket-name-1
bucket-name-2
bucket-name-3

* Recursively delete all of the objects, the buckets and confirm that they are deleted

$ while read line ; do
echo "`date '+%x %T'` ## Removing $line"
aws s3 rm s3://$line --recursive
aws s3api delete-bucket --bucket $line
aws s3 ls s3://$line
echo -e "`date '+%x %T'` ## Finished removing $line\n"
done < bucket.txt

06/11/2014 17:22:33 ## Removing bucket-name-1
delete: s3://bucket-name-1/object_01.txt
...
delete: s3://bucket-name-1/object_10.txt
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:22:39 ## Finished removing bucket-name-1

06/11/2014 17:22:39 ## Removing bucket-name-2
delete: s3://bucket-name-2/object_01.txt
...
delete: s3://bucket-name-2/object_10.txt
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:22:44 ## Finished removing bucket-name-2

06/11/2014 17:22:44 ## Removing bucket-name-3
delete: s3://bucket-name-3/object_01.txt
...
delete: s3://bucket-name-3/object_10.txt
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:22:50 ## Finished removing bucket-name-3

* Use --quiet option if you want to quietly remove

$ while read line ; do
echo "`date '+%x %T'` ## Removing $line"
aws s3 rm s3://$line --recursive --quiet
aws s3api delete-bucket --bucket $line
aws s3 ls s3://$line
echo -e "`date '+%x %T'` ## Finished removing $line\n"
done < bucket.txt

06/11/2014 17:25:56 ## Removing bucket-name-1
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:26:01 ## Finished removing bucket-name-1

06/11/2014 17:26:01 ## Removing bucket-name-2
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:26:07 ## Finished removing bucket-name-2

06/11/2014 17:26:07 ## Removing bucket-name-3
A client error (NoSuchBucket) occurred: The specified bucket does not exist
06/11/2014 17:26:12 ## Finished removing bucket-name-3

That's it!

My bookshelf on Goodreads

Naoya's bookshelf: read

Building a Home Security System with BeagleBone

by Bill Pretty

Getting Started with Phalcon

by Stephan A Miller

I had known nothing about the Phalcon PHP framework before reading "Getting Started with Phalcon", but I learned the basic step by step with the following chapters: * Chapter 1: Installing Phalcon * Chapter 2: Setting Up a Phalcon Projec...

Mastering Zabbix

by Andrea Dalle Vacche

Mastering Zabbix is quite helpful for the beginners or the intermediate those who need to manage and monitor IT infrastructure especially for mission critical environment or with hundreds of nodes because it covers database-sizing, capac...

hashnao's Blog

ページ

Thursday, August 7, 2014

Failed Access Denied: S3 properties on us-east-1 region

Wednesday, June 11, 2014

AWS CLI memorandum - Delete S3 Buckets and all of the objects simultaneously

iJAWS@Doorkeeper

AWS Certified SysOps Administrator - Associate Level

AWS Certified Solutions Architect Associate Level