S3 Bucket List reveals top-level object names

0

The Situation

Customer is building a bucket that ingests data from outside multiple customers. If we call it "ingest-bucket" their intent is to use a folder structure with one folder per customer. The intended structure is something like this:

  • ingest-bucket/customer1/data1.log
  • ingest-bucket/customer1/data2.log
  • ingest-bucket/customer2/data1.log
  • ingest-bucket/customer2/data2.log
  • ingest-bucket/customer3/data1.log
  • ingest-bucket/customer3/data2.log

...and so on...

The Task

They have tried to give a third party access to just the ingest folder that corresponds to them. Imagine this is an engineer from customer2. It appears that they need to grant S3:ListBucket in order to allow them to read and download the files.

The Problem

The problem is that when customer2 does a ListBucket command, they can see the existence of the customer1 and customer3 folders. They don't have access to any objects inside those folders, but they can see the existence of the folder itself. This is a problem because Siemens doesn't want customer2 to see the folder named "customer1". It tells customer2 that customer1 is a Siemens customer and that's undesirable.

Possible Solution

Is there a solution to this? We decided to potentially use random names for this first-level folder, which anonymises the folder names. That's not great, but it's acceptable. Is there something I'm missing, though?

They've created an S3 bucket policy something like this:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   }
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
asked 8 years ago545 views
1 Answer
0
Accepted Answer

Although you can't limit what is returned in the bucket listing, you can make a condition that the caller specifies a key prefix in the list call which limits the results to just their 'folder'

http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2

Example policy with condition that requires them to provide a key prefix when listing:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   },
       "Condition" : { "StringEquals" : { "s3:prefix": "customer2"  } } 
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
EXPERT
answered 8 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions