S3 Bucket List reveals top-level object names

0

The Situation

Customer is building a bucket that ingests data from outside multiple customers. If we call it "ingest-bucket" their intent is to use a folder structure with one folder per customer. The intended structure is something like this:

  • ingest-bucket/customer1/data1.log
  • ingest-bucket/customer1/data2.log
  • ingest-bucket/customer2/data1.log
  • ingest-bucket/customer2/data2.log
  • ingest-bucket/customer3/data1.log
  • ingest-bucket/customer3/data2.log

...and so on...

The Task

They have tried to give a third party access to just the ingest folder that corresponds to them. Imagine this is an engineer from customer2. It appears that they need to grant S3:ListBucket in order to allow them to read and download the files.

The Problem

The problem is that when customer2 does a ListBucket command, they can see the existence of the customer1 and customer3 folders. They don't have access to any objects inside those folders, but they can see the existence of the folder itself. This is a problem because Siemens doesn't want customer2 to see the folder named "customer1". It tells customer2 that customer1 is a Siemens customer and that's undesirable.

Possible Solution

Is there a solution to this? We decided to potentially use random names for this first-level folder, which anonymises the folder names. That's not great, but it's acceptable. Is there something I'm missing, though?

They've created an S3 bucket policy something like this:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   }
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
質問済み 7年前493ビュー
1回答
0
承認された回答

Although you can't limit what is returned in the bucket listing, you can make a condition that the caller specifies a key prefix in the list call which limits the results to just their 'folder'

http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2

Example policy with condition that requires them to provide a key prefix when listing:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   },
       "Condition" : { "StringEquals" : { "s3:prefix": "customer2"  } } 
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
エキスパート
回答済み 7年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ