Bucket policy: allow all principals from account for same-account access

0

I am trying to write a bucket policy that enables access for all principals in the AWS account, including those that do not have identity-based policies that explicitly allow access to the bucket.

When I listed the AWS account as the principal in the bucket policy, roles and users that don't also have identity based policies that enable access are getting denied. However, it works when I list a specific role/user ARN as the bucket policy principal.

Here is an example bucket policy that isn't working:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "XXXXXXXXXXXX"
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::BUCKET",
        "arn:aws:s3:::BUCKET/*"
    ]
}

How do I whitelist all roles/users in the account? (So I can further limit access based on conditions)

1개 답변
0

If the account is an owner of the bucket, you should be able to access even without any permission.

So I am guessing you are trying to enable cross-account access for your S3?

If so, you need to give a specific permission for that user or role to access to that S3 in a different account. By design, this is how S3 controls permissions, with which that SQS, DynamoDB? shares a similar trait

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠