Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

grant access to one role in another account to all objects in an S3 bucket?

0

Is it possible to grant (read) access to one role in another account to all objects within one bucket while still having "Block all public access" on?

I "fear" that specifying "All" objects in my policy might make my policy "public" in which case it is ignored as long as "Block all public access" is on.

Is it correct?

If so, how should I setup my S3 bucket security to only grant access to that outside role?

Temas
Almacenamiento
Etiquetas
Amazon Simple Storage Service
Idioma
English
EricGfK
preguntada hace 3 años1307 visualizaciones
3 Respuestas
1

Hi there,

The short answer to this question is yes, it is possible to grant a cross account role access to your bucket while having S3 Block Public Access setting activated. Digressing a bit, S3 Block Public Access settings[1] are used to provide control across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.

Now a bucket policy is considered to be granting public access if it contains the Principal value as follows without any restricting conditions:

"Principal": "*"

'*' here is used as a wildcard, to be interpreted as providing anonymous access or access to all.

If such a bucket policy is enabled on a bucket and if the S3 Block Public Access settings are 'on', then S3 Block Public Access settings override the S3 permissions that allow public access. (Specifying all object resources in the bucket policy by itself does not render a bucket public.) Therefore, you can provide access to a cross account role using a bucket policy similar to:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "cross_account_role_ARN",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your_bucket_name/*"
}
]
}

This policy provides read access to all objects in your S3 bucket only to the cross account role. In case you're looking to provide console access, you can also add "s3:ListBucket" permission[2] (with the bucket as the resource) to list all objects in the bucket.

Hope this helps!

References:
[1] S3 Block Public Access - https://aws.amazon.com/s3/features/block-public-access/
[2] Actions defined by Amazon S3 - https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
[-] Bucket policy examples - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

AWS
INGENIERO DE SOPORTE
Deepika_K
respondido hace 3 años
1

I tried to be VERY agressive with my permissions but still unable to read anything in the bucket...

{
"Version": "2012-10-17",
"Id": "Policy1631205389485",
"Statement": [
{
"Sid": "Stmt1631205373926",
"Effect": "Allow",
"Principal": "",
"Action": "s3:",
"Resource": "arn:aws:s3:::my-bucket-here/*"
}
]
}

I did not even setup the Block All Policy Access

And yet, if I try to browse

aws s3 --profile saml ls s3://my-bucket-here

I get this error message...

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

It looks like I have opened all doors!!!

Edited by: EricGfK on Sep 9, 2021 5:52 PM

EricGfK
respondido hace 3 años
1

Apparently, I had to mention both bucket and bucket content in the policy...

        "Resource": \[  
            "arn:aws:s3:::my-bucket-name",  
            "arn:aws:s3:::my-bucket-name/*"  
        ]
EricGfK
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante