Certified Security - Specialty

Sign Up Free or Log In to participate!

Can a bucket policy allow access to S3 when a user has no S3 IAM policy access?

I tried creating a bucket policy which allowed a user full access to a bucket but the user had no IAM policy S3 access.  To me, that’s an implicit deny from IAM but an explicit allow from the bucket policy.  The user couldn’t access the bucket which says to me that it’s not quite the union of policies as Ryan describes in his lectures.  If you have no access to S3 it seems it doesn’t matter what bucket policies allow, you actually have to be able to get to S3 in some sense for the bucket policy to come into play?

3 Answers

So, the ListAllMyBuckets action is allowed for the S3 Console to even list the bucket, this might be what is tripping you up.

I created a user, with just the policy:


{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": "s3:ListAllMyBuckets",

"Resource": "*"

}

]

}

I then created an S3 bucket with the bucket policy:


{

"Sid": "Stmt1519539086750",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::xxxxxxxx:user/noaccess"

},

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::mybucket/*",

"arn:aws:s3:::mybucket"

]

}

My "noaccess" user was able to fully access the bucket without being explicitly granted access to it in the IAM policy.

This applies only to buckets owned by the same account as the user. To do cross account access, you do need explicit IAM allow and bucket policy to access buckets.

Phil Jay

I assume that cli / api access directly to the bucket would work without ListAllMyBuckets … but that’s only an assumption.

Felipe Cavalcanti

Your assumption is correct. I verified it by creating a new user with no IAM policies and a new S3 bucket with a Bucket Policy granting the user access. The user was able to access the Bucket through the CLI without requiring the s3:ListAllMyBuckets IAM Policy.

behnam.anisi

so the user can only access the S3 bucket with no IAM policy using CLI ? as i have tried this on the GUI and you cannot access it if you have no IAM S3:LIST policy

Hi Andy,

 There are multiple ways to control access to S3 buckets and they overlap which makes it even more fun to resolve. 

You , If and IAM user has no S3 element in their Policy, they could still have access via an S3 bucket policy.  or even ACL 

Start here.

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

There is also a good AWS doc that compares policies and ACLs and has some hint on when to use each.

Rusty
  Moderator & Coach

google :  AWS AWS s3 acl vs policy     

behnam.anisi

Hello Rusty, Are you sure man, because i created a new user with no IAM S3 policy and the user could not even see or list S3 buckets… even tho it had full permission on the S3 bucket? This is important as i am going to set my exam soon and cannot find an answer anywhere

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?