How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?

Question

These are the general formats for Amazon Resource Names (ARNs):

- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id

[https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html][1]

The challenge with S3:

S3 buckets are globally unique (well, if we exclude Gov Cloud and China regions). That is why S3 ARNs do not include **region** and  the **AWS account ID**:

arn:aws:s3:::examplebucket

Now, what the customer is saying:

- we own a bucket
- we write a policy allowing service X to write secret file Y to the bucket
- we delete the bucket (and its contents), forgetting about service X
- someone else creates a bucket and allows anybody to write to it
- service X writes to "the bucket" (now owned by someone else)

It would be trivial to avoid by only allowing service X to write to "bucket foo" in a particular account, but AWS IAM explicitly disallows bucket ARNs with account IDs in them.

Is there any workaround for this?

Accepted Answer

The functionality that helps with validating bucket owner has been recently released:

https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-s3-bucket-owner-condition-helps-validate-correct-bucket-ownership/

Bucket Owner condition:

https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-owner-condition.html

How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?

Contenido relevante