Bucket policy: allow all principals from account for same-account access

0

I am trying to write a bucket policy that enables access for all principals in the AWS account, including those that do not have identity-based policies that explicitly allow access to the bucket.

When I listed the AWS account as the principal in the bucket policy, roles and users that don't also have identity based policies that enable access are getting denied. However, it works when I list a specific role/user ARN as the bucket policy principal.

Here is an example bucket policy that isn't working:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "XXXXXXXXXXXX"
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::BUCKET",
        "arn:aws:s3:::BUCKET/*"
    ]
}

How do I whitelist all roles/users in the account? (So I can further limit access based on conditions)

1 個回答
0

If the account is an owner of the bucket, you should be able to access even without any permission.

So I am guessing you are trying to enable cross-account access for your S3?

If so, you need to give a specific permission for that user or role to access to that S3 in a different account. By design, this is how S3 controls permissions, with which that SQS, DynamoDB? shares a similar trait

已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南