By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Bucket policy: allow all principals from account for same-account access

0

I am trying to write a bucket policy that enables access for all principals in the AWS account, including those that do not have identity-based policies that explicitly allow access to the bucket.

When I listed the AWS account as the principal in the bucket policy, roles and users that don't also have identity based policies that enable access are getting denied. However, it works when I list a specific role/user ARN as the bucket policy principal.

Here is an example bucket policy that isn't working:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "XXXXXXXXXXXX"
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::BUCKET",
        "arn:aws:s3:::BUCKET/*"
    ]
}

How do I whitelist all roles/users in the account? (So I can further limit access based on conditions)

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM Policies
Language
English
rePost-User-1202417
asked 4 months ago126 views
1 Answer
0

If the account is an owner of the bucket, you should be able to access even without any permission.

So I am guessing you are trying to enable cross-account access for your S3?

If so, you need to give a specific permission for that user or role to access to that S3 in a different account. By design, this is how S3 controls permissions, with which that SQS, DynamoDB? shares a similar trait

teduri90
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content