Bucket policy: allow all principals from account for same-account access

0

I am trying to write a bucket policy that enables access for all principals in the AWS account, including those that do not have identity-based policies that explicitly allow access to the bucket.

When I listed the AWS account as the principal in the bucket policy, roles and users that don't also have identity based policies that enable access are getting denied. However, it works when I list a specific role/user ARN as the bucket policy principal.

Here is an example bucket policy that isn't working:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "XXXXXXXXXXXX"
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::BUCKET",
        "arn:aws:s3:::BUCKET/*"
    ]
}

How do I whitelist all roles/users in the account? (So I can further limit access based on conditions)

1 Antwort
0

If the account is an owner of the bucket, you should be able to access even without any permission.

So I am guessing you are trying to enable cross-account access for your S3?

If so, you need to give a specific permission for that user or role to access to that S3 in a different account. By design, this is how S3 controls permissions, with which that SQS, DynamoDB? shares a similar trait

beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen