By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Principals in AWS S3 resource based policy - misleading docs.

1

Docs1 - Grant anonymous permissions

Above docs stand, that there is a difference between:

"Principal":"*" - Allow effect in a resource-based policy allows anyone, even if they’re not signed in to AWS

"Principal" : { "AWS" : "*" } - Allow effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource

Above doc page points to the another one with more details Doc2 - All principals. Here we can read:

For anonymous users, the following elements are equivalent:

"Principal": "*"

"Principal" : { "AWS" : "*" }

It looks that both docs exclude each other. What is the truth? Are them equivalent or vary in terms of S3 resource based policy?

Based on my test, they are equivalent and - "Principal" : { "AWS" : "*" } - with an Allow effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource is not true.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
rePost-User-5747766
asked 2 years ago846 views
1 Answer
-1

Hello

A principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS. As a best practice, do not use your root user credentials for your daily work. Instead, create IAM entities (users and roles). You can also support federated users or programmatic access to allow an application to access your AWS account.

A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS. Some services, such as Amazon S3 and AWS STS, allow a few requests from anonymous users. However, they are the exception to the rule. These are referred in IAM docs here: https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html

In the example cited, there will be a difference between using the Principal in two mentioned methods from S3 perspective as covered in this doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html#s3-anonymous-permissions

  • Using "Principal": "*" with an Allow effect in a resource-based policy allows anyone, even if they’re not signed in to AWS, to access your resource.
  • Using "Principal" : { "AWS" : "*" } with an Allow effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource. This applies to AWS users i.e. one has to sign in to AWS.

If your testing shows otherwise, kindly provide more detail on policy used and how you tested it in detail [signing in as AWS user vs without] to provide further context. Thank you.

AWS
rePostfanclub
answered 2 years ago
  • rePost-User-5747766
    2 years ago

    Thank you for your reply. Does it mean that "Principal" : { "AWS" : "*" } should limit object access only for authenticated AWS users?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content