Certified Security - Specialty

Sign Up Free or Log In to participate!

S3 ACL access policy

As per amazon "overview of security process" whitepaper S3 acl cannot give access to specific user. "Within Amazon S3, you can use ACLs to give read or write access on buckets or objects to groups of users. With ACLs, you can only grant other AWS accounts (not specific users) access to your Amazon S3 resources". But here it was told you can do it using CLI. I think it is misleading information in the lecture.

2 Answers

Thanks. we’ll take a look at that lecture and see if it needs an update

IMO the whitepaper is incorrect and incomplete whilst the course content is correct but not complete. I’m using whitepaper here https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf page 49 second bullet "Access Control Lists (ACLs). Within Amazon S3, you can use ACLs to give read or write access on buckets or objects to groups of users. With ACLs, you can only grant other AWS accounts (not specific users) access to your Amazon S3 resources"

As described by Ryan (03:10 to 04:51) in the current course content this can be done for a user in the same account using CLI or API using both the AWS account number and the canonical user id.

There’s also a step by step example on how to do this between two different accounts in the s3 documentation, again using the CLI or API. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html

Adam C

Steve, sorry, but you’re wrong on that. The lecture is absolutely wrong. At 4:40, Ryan says "Yes you can apply object ACLs to individual IAM users". ACLs can only be applied to caonical IDs or e-mail addresses, ie: the ACL applies to the entire account. The link and your description further clarifies that it only operates at the account level. The documentation on canonical IDs even says, "The canonical user ID is an identifier for your account" https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId

Adam C

Point is, there is no such thing as a canonical user ID for an IAM user. The only time an account might have more than one canonical ID (that I’m aware of) is with CloudFront distributions

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?