How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?
0
These are the general formats for Amazon Resource Names (ARNs):
- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
[https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html][1]
The challenge with S3:
S3 buckets are globally unique (well, if we exclude Gov Cloud and China regions). That is why S3 ARNs do not include region and the AWS account ID:
arn:aws:s3:::examplebucket
Now, what the customer is saying:
- we own a bucket
- we write a policy allowing service X to write secret file Y to the bucket
- we delete the bucket (and its contents), forgetting about service X
- someone else creates a bucket and allows anybody to write to it
- service X writes to "the bucket" (now owned by someone else)
It would be trivial to avoid by only allowing service X to write to "bucket foo" in a particular account, but AWS IAM explicitly disallows bucket ARNs with account IDs in them.
Is there any workaround for this?
demandé il y a 4 ans976 vues
1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
The functionality that helps with validating bucket owner has been recently released:
Bucket Owner condition:
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-owner-condition.html
répondu il y a 4 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
AWS OFFICIELA mis à jour il y a 2 ans- AWS OFFICIELA mis à jour il y a 9 mois
