By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Resource Owner and default Bucket/Object Privileges

0

Following is what the AWS Doc says:

"By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource."

I login to my AWS account using the root user and create an S3 bucket and an object. While I can browse and see the objects, I get an "access denied" error when I try to click the http link to the file from AWS console. As the AWS Account root user/ resource owner, shouldn't I have been able to get a successful read instead of the "access denied" as the doc suggests?

I turn the bucket into a "Objects can be public" bucket. But I still get the "access denied" error. I turn this object into public. I now see the object when I try to click the http link to the file from AWS console.

So, the question is, what does it specifically mean when the doc says "...only the resource owner, an AWS account that created it, can access the resource." as even the resource owner was being denied access by default and a whole lot of granting had to be done to make even the resource owner, that is the AWS root account to get the access?

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
sheelstera
asked 5 years ago363 views
2 Answers
0
Accepted Answer

Hello

I know the confusion as I had the same prob.
The object you upload is yours (you are the owner and have full rights to it), you can download and delete it with no problems, right? the issue is clicking on the direct object URL to it and that fails because that link does not carry any information of who you are and thus the server cannot authenticate you, that's why it gives you an access denied.

If you were to compare in your browser what happens when you hit the download button, you will see that the browser sends header information with access control to "GeneratePresignedUrl" that is returned to the browser which looks like
presignedUrl: "https://s3.ap-northeast-1.amazonaws.com/your-bucket/object.ext?response-content-disposition=attachment&X-Amz-Security-Token=tokenvalue&X-Amz-Algorithm=value&X-Amz-Date=datetime&X-Amz-SignedHeaders=XXXX&X-Amz-Expires=SECONDS&X-Amz-Credential=CREDENTIALCODE%code2%REGION%s3%aws_request&X-Amz-Signature=signaturecode"
and that is the one that makes the browser get access to the object to download.

hope this helps,
RT

rtt
answered 5 years ago
0

Thanks a lot. That makes sense.

sheelstera
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content