- Newest
- Most votes
- Most comments
Short answer to your question is yes. If your IAM keys and your instance's IAM profiles/roles contain s3:* that will allow writing to any bucket that has default permissions. You can remove the permissions to not allow instances to write to buckets if they do not need to.
On the bucket side, you should add Bucket Policies which control who/what resources are allowed to perform what actions against them. See details of bucket policies here. Suggested policy would be to only allow specific roles or specific instances to read/write from each bucket.
Hello.
I'm unsure if this is due to my access ID and key, which serve as credentials (bucket owner has read and write permissions).
I think it depends on how you are accessing S3 from your application, but I think there is a connection.
Public access to S3 allows downloading by directly accessing the S3 object URL.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html
Therefore, even if all public access is set to be blocked, I suspect that the reason why access is possible is because the application is downloading the object via the AWS API using an SDK etc.
Try editing the IAM policy in a test environment to disable access to S3, and if the object cannot be displayed, you will know that access is using IAM.
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Adding that you should also check out the flowchart on this page which steps through the process of how policies are evaluated.