Need help understanding s3 object access

Question

I have a policy and attached to a user test-user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ConsoleAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket","s3:*Object"],
            "Resource": ["arn:aws:s3:::testabpvc/xyz.txt"]
        }
    ]
}

The user test-user is able to read the file no issues
I would like to know who has access to read the file xyz.txt. what is the exact way to look in to?

re:Post Agent · Answer

To determine who has access to read the file xyz.txt in your S3 bucket, you need to consider multiple layers of access control in Amazon S3. Here's how you can investigate:

1. Check the bucket policy: Look at the bucket policy for "testabpvc" to see if there are any permissions granted at the bucket level that might allow access to the file.

2. Examine the object ACL: Check the Access Control List (ACL) specifically for the xyz.txt object. This will show if any specific permissions have been granted directly on the object.

3. Review IAM policies: Look at IAM policies attached to users, groups, or roles in your AWS account. The policy you've shown for test-user is an example of this. Other users might have similar or more permissive policies.

4. Check bucket ACL: Although less common, the bucket ACL might grant permissions that affect object access.

5. Evaluate S3 Access Points: If you're using S3 Access Points, review their policies as they can provide another layer of access control.

6. Use IAM Access Analyzer: This tool can help you identify resources in your organization and accounts, such as S3 buckets, that are shared with an external entity.

7. Consider S3 Object Ownership settings: If you're using the "Bucket owner enforced" setting, this simplifies access control as all objects are owned by the bucket owner.

Remember, S3 evaluates all these layers when authorizing a request. A user needs permission from their IAM policy (or role), as well as not being explicitly denied by the bucket policy. If the object owner is different from the bucket owner, permissions in the object ACL are also considered.

For the most comprehensive view, you should review all these aspects to fully understand who can access the file.  
**Sources**  
[Access control in Amazon S3 - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html)  
[How Amazon S3 authorizes a request for an object operation - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-auth-workflow-object-operation.html)  
[Policies and permissions in Amazon S3 - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html)

Need help understanding s3 object access

Relevant content