S3 Bucket List reveals top-level object names

0

The Situation

Customer is building a bucket that ingests data from outside multiple customers. If we call it "ingest-bucket" their intent is to use a folder structure with one folder per customer. The intended structure is something like this:

  • ingest-bucket/customer1/data1.log
  • ingest-bucket/customer1/data2.log
  • ingest-bucket/customer2/data1.log
  • ingest-bucket/customer2/data2.log
  • ingest-bucket/customer3/data1.log
  • ingest-bucket/customer3/data2.log

...and so on...

The Task

They have tried to give a third party access to just the ingest folder that corresponds to them. Imagine this is an engineer from customer2. It appears that they need to grant S3:ListBucket in order to allow them to read and download the files.

The Problem

The problem is that when customer2 does a ListBucket command, they can see the existence of the customer1 and customer3 folders. They don't have access to any objects inside those folders, but they can see the existence of the folder itself. This is a problem because Siemens doesn't want customer2 to see the folder named "customer1". It tells customer2 that customer1 is a Siemens customer and that's undesirable.

Possible Solution

Is there a solution to this? We decided to potentially use random names for this first-level folder, which anonymises the folder names. That's not great, but it's acceptable. Is there something I'm missing, though?

They've created an S3 bucket policy something like this:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   }
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
已提問 7 年前檢視次數 493 次
1 個回答
0
已接受的答案

Although you can't limit what is returned in the bucket listing, you can make a condition that the caller specifies a key prefix in the list call which limits the results to just their 'folder'

http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2

Example policy with condition that requires them to provide a key prefix when listing:

{
    "Id": "bucket123456",
    "Statement": [{
        "Sid": "1",
        "Action": [   "s3:ListBucket" ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ingest-bucket",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"   },
       "Condition" : { "StringEquals" : { "s3:prefix": "customer2"  } } 
    }, {
        "Sid": "2",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: ingest-bucket/customer2/*",
        "Principal": {  "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"  }
    }]
}
AWS
專家
已回答 7 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南