How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?
0
These are the general formats for Amazon Resource Names (ARNs):
- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
[https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html][1]
The challenge with S3:
S3 buckets are globally unique (well, if we exclude Gov Cloud and China regions). That is why S3 ARNs do not include region and the AWS account ID:
arn:aws:s3:::examplebucket
Now, what the customer is saying:
- we own a bucket
- we write a policy allowing service X to write secret file Y to the bucket
- we delete the bucket (and its contents), forgetting about service X
- someone else creates a bucket and allows anybody to write to it
- service X writes to "the bucket" (now owned by someone else)
It would be trivial to avoid by only allowing service X to write to "bucket foo" in a particular account, but AWS IAM explicitly disallows bucket ARNs with account IDs in them.
Is there any workaround for this?
asked 4 years ago962 views
1 Answer
- Newest
- Most votes
- Most comments
0
The functionality that helps with validating bucket owner has been recently released:
Bucket Owner condition:
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-owner-condition.html
answered 4 years ago
Relevant content
- How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?Accepted Answerasked a year ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
