S3 Resource Owner and default Bucket/Object Privileges

Question

Following is what the AWS Doc says:  
  
**"By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource."**  
  
I login to my AWS account using the root user and create an S3 bucket and an object. While I can browse and see the objects, I get an "access denied" error when I try to click the http link to the file from AWS console. As the AWS Account root user/ resource owner, shouldn't I have been able to get a successful read instead of the "access denied" as the doc suggests?  
  
I turn the bucket into a "Objects can be public" bucket. But I still get the "access denied" error. I turn this object into public. I now see the object when I try to click the http link to the file from AWS console.  
  
So, the question is, what does it specifically mean when the doc says **"...only the resource owner, an AWS account that created it, can access the resource."** as even the resource owner was being denied access by default and a whole lot of granting had to be done to make even the resource owner, that is the AWS root account to get the access?

Accepted Answer

Hello  
  
I know the confusion as I had the same prob.  
The object you upload is yours (you are the owner and have full rights to it), you can download and delete it with no problems, right? the issue is clicking on the direct object URL to it and that fails because that link does not carry any information of who you are and thus the server cannot authenticate you, that's why it gives you an access denied.   
  
If you were to compare in your browser what happens when you hit the download button, you will see that the browser sends header information with access control to "GeneratePresignedUrl" that is returned to the browser which looks like   
presignedUrl: "https://s3.ap-northeast-1.amazonaws.com/your-bucket/object.ext?response-content-disposition=attachment&X-Amz-Security-Token=tokenvalue&X-Amz-Algorithm=value&X-Amz-Date=datetime&X-Amz-SignedHeaders=XXXX&X-Amz-Expires=SECONDS&X-Amz-Credential=CREDENTIALCODE%code2%REGION%s3%aws_request&X-Amz-Signature=signaturecode"  
and that is the one that makes the browser get access to the object to download.  
  
hope this helps,  
RT

Answer

Thanks a lot. That makes sense.

S3 Resource Owner and default Bucket/Object Privileges

관련 콘텐츠