Bucket policy: allow all principals from account for same-account access

Question

I am trying to write a bucket policy that enables access for all principals in the AWS account, including those that do not have identity-based policies that explicitly allow access to the bucket.

When I listed the AWS account as the principal in the bucket policy, roles and users that don't also have identity based policies that enable access are getting denied.  However,  it works when I list a specific role/user ARN as the bucket policy principal.

Here is an example bucket policy that isn't working:

```
{
    "Effect": "Allow",
    "Principal": {
        "AWS": "XXXXXXXXXXXX"
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::BUCKET",
        "arn:aws:s3:::BUCKET/*"
    ]
}
```
How do I whitelist all roles/users in the account? (So I can further limit access based on conditions)

Answer

If the account is an owner of the bucket, you should be able to access even without any permission.

So I am guessing you are trying to enable cross-account access for your S3?

If so, you need to give a specific permission for that user or role to access to that S3 in a different account. By design, this is how S3 controls permissions, with which that SQS, DynamoDB? shares a similar trait

Bucket policy: allow all principals from account for same-account access

相关内容