Certified Security - Specialty

Sign Up Free or Log In to participate!

/* isn’t required if you are only referring to the bucket itself not the contents

This S3 bucket policy enables the root account 111122223333 and the IAM user Alice under that account to perform any S3 operation on the bucket named “my_bucket”, as well as that bucket’s contents.

So "arn:aws:s3:::my_bucket" is a valid resource:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": ["arn:aws:iam::111122223333:user/Alice",

"arn:aws:iam::111122223333:root"]

},

"Action": "s3:*",

"Resource": ["arn:aws:s3:::my_bucket",

                      "arn:aws:s3:::my_bucket/*"]

}

]

}

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

4 Answers

arn:aws:s3:::my_bucket (plus "Action": "s3:*") allows actions that can be performed on a bucket, like CreateBucket, ListBucket, GetBucketPolicy, and so on. 

arn:aws:s3:::my_bucket/  (plus "Action": "s3:") allows actions that can be performed on objects within the bucket "my_bucket". That includes GetObject, PutObject, DeleteObject, and so on.

However, this policy does not allow other actions that require the asterisk (*) that means "all resources", like HeadBucket or ListAllMyBuckets.

Also, keep in mind that if you attach a policy to the bucket, it only limits permissions. For example, if you have a bucket policy to allow Alice to do these things, Alice must also have permission (for example, in a policy attached to the user) to do these actions. However, if Bob has permissions to access my_bucket, his permission is denied by this bucket policy. You must have permission on your user (identity-based policy) and on your bucket (resource-based policy). If you are denied access by either, the deny wins.

One more thing. Because this policy doesn’t allow ListAllMyBuckets, Alice cannot access my_bucket in the AWS Management Console.

Steven Moran

ListAllMyBuckets is sneaky…

Barry Sheward

See below, the second part of your explanation is incorrect.

The second part of stephswo’s explanation is not correct. Bucket policies can add permissions as well as limit them. This is illustrated by Ryan in the first part of the lab in the S3 Bucket Policies video where he gives the MyS3User DeleteObject access to the myacloudgurusecuritybucket in the bucket policy, when the IAM user’s policy only allowed ReadOnly access. Policy evaluation logic is described in http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Barry Sheward

I agree.

I created a user, with just the policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": "s3:ListAllMyBuckets",

"Resource": "*"

}

]

}

I then created an S3 bucket with the bucket policy:

 {

"Sid": "Stmt1519539086750",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::xxxxxxxx:user/noaccess"

},

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::mybucket/*",

"arn:aws:s3:::mybucket"

]

}

My "noaccess" user was able to fully access the bucket without being explicitly granted access to it in the IAM policy.

I think @stephswo’s argument is valid with cross account access. The user must explicitly be granted access to the bucket in the other account using IAM policy, and be granted access to the bucket itself using bucket resource policy.

alomari386

Yeah but you still had to grant the user "s3:ListAllMyBuckets" using an IAM policy. So technically bucket policies alone are not enough

The error Ryan got in his video actually makes sense. He was trying to grant "DeleteObject" on a "bucket" which doesn’t work because "Delete Object" is for bucket content and not the bucket itself if he had used "S3:DeleteBucket" instead he wouldn’t have gotten the error but that will only give you permissions to delete the entire bucket and not individual items from that bucket. To allow or deny access to a buckets and it’s contents you would want to use: 

"Resource": [

"arn:aws:s3:::MyExampleBucket",

"arn:aws:s3:::MyExampleBucket/*"

]

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?