S3 Bucket List reveals top-level object names

0

The Situation

Customer is building a bucket that ingests data from outside multiple customers. If we call it "ingest-bucket" their intent is to use a folder structure with one folder per customer. The intended structure is something like this:

  • ingest-bucket/customer1/data1.log
  • ingest-bucket/customer1/data2.log
  • ingest-bucket/customer2/data1.log
  • ingest-bucket/customer2/data2.log
  • ingest-bucket/customer3/data1.log
  • ingest-bucket/customer3/data2.log

...and so on...

The Task

They have tried to give a third party access to just the ingest folder that corresponds to them. Imagine this is an engineer from customer2. It appears that they need to grant S3:ListBucket in order to allow them to read and download the files.

The Problem

The problem is that when customer2 does a ListBucket command, they can see the existence of the customer1 and customer3 folders. They don't have access to any objects inside those folders, but they can see the existence of the folder itself. This is a problem because Siemens doesn't want customer2 to see the folder named "customer1". It tells customer2 that customer1 is a Siemens customer and that's undesirable.

Possible Solution

Is there a solution to this? We decided to potentially use random names for this first-level folder, which anonymises the folder names. That's not great, but it's acceptable. Is there something I'm missing, though?

They've created an S3 bucket policy something like this:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   }
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
已提问 7 年前492 查看次数
1 回答
0
已接受的回答

Although you can't limit what is returned in the bucket listing, you can make a condition that the caller specifies a key prefix in the list call which limits the results to just their 'folder'

http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2

Example policy with condition that requires them to provide a key prefix when listing:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   },
       "Condition" : { "StringEquals" : { "s3:prefix": "customer2"  } } 
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
专家
已回答 7 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则