En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

S3 Resource Owner and default Bucket/Object Privileges

0

Following is what the AWS Doc says:

"By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource."

I login to my AWS account using the root user and create an S3 bucket and an object. While I can browse and see the objects, I get an "access denied" error when I try to click the http link to the file from AWS console. As the AWS Account root user/ resource owner, shouldn't I have been able to get a successful read instead of the "access denied" as the doc suggests?

I turn the bucket into a "Objects can be public" bucket. But I still get the "access denied" error. I turn this object into public. I now see the object when I try to click the http link to the file from AWS console.

So, the question is, what does it specifically mean when the doc says "...only the resource owner, an AWS account that created it, can access the resource." as even the resource owner was being denied access by default and a whole lot of granting had to be done to make even the resource owner, that is the AWS root account to get the access?

Sujets
Stockage
Balises
Simple service de stockage Amazon
Langue
English
sheelstera
demandé il y a 5 ans375 vues
2 réponses
0
Réponse acceptée

Hello

I know the confusion as I had the same prob.
The object you upload is yours (you are the owner and have full rights to it), you can download and delete it with no problems, right? the issue is clicking on the direct object URL to it and that fails because that link does not carry any information of who you are and thus the server cannot authenticate you, that's why it gives you an access denied.

If you were to compare in your browser what happens when you hit the download button, you will see that the browser sends header information with access control to "GeneratePresignedUrl" that is returned to the browser which looks like
presignedUrl: "https://s3.ap-northeast-1.amazonaws.com/your-bucket/object.ext?response-content-disposition=attachment&X-Amz-Security-Token=tokenvalue&X-Amz-Algorithm=value&X-Amz-Date=datetime&X-Amz-SignedHeaders=XXXX&X-Amz-Expires=SECONDS&X-Amz-Credential=CREDENTIALCODE%code2%REGION%s3%aws_request&X-Amz-Signature=signaturecode"
and that is the one that makes the browser get access to the object to download.

hope this helps,
RT

rtt
répondu il y a 5 ans
0

Thanks a lot. That makes sense.

sheelstera
répondu il y a 5 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents