Amazon S3 performs the following context evaluation - clarification

0
votes

From http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-bucket-operation.html?shortFooter=true

Can someone clarify the context evaluation:

Example 3: Bucket Operation Requested by an IAM User Whose Parent AWS Account Is Also the Bucket Owner

In the example, the request is sent by Jill, an IAM user in AWS account 1111-1111-1111, which also owns the bucket.

Amazon S3 performs the following context evaluation:

Because the request is from an IAM user, in the user context, Amazon S3 evaluates all policies that belong to the parent AWS account to determine if Jill has permission to perform the operation.

In this example, parent AWS account 1111-1111-1111, to which the user belongs, is also the bucket owner. As a result, in addition to the user policy, Amazon S3 also evaluates the bucket policy and bucket ACL in the same context, because they belong to the same account.

Because Amazon S3 evaluated the bucket policy and bucket ACL as part of the user context, it does not evaluate the bucket context.

For example - what happens in the case where an IAM user created the Bucket?

1
amazon-web-servicesamazon-s3
I was under the impression that all buckets were owned by the parent account, regardless of which IAM account created it. Looking it up.RaGe

1 Answers

1
votes

To illustrate the concept of context, consider this scenario:

  • My AWS account owns a bucket
  • Your AWS account creates an IAM user
  • We agree that your user needs to access my account's bucket

How do we allow that?

It is not sufficient for my account to allow your user to access my bucket.

It is also not sufficient for your account to authorize your IAM user to access my bucket.

Both of these things must be granted.

When the request arrives, it passes through two layers of authorization checks:

  • user context: does this user's account allow him or her to make this request? If no, then access denied; otherwise, next.
  • bucket context: does the bucket owner account allow this user to make this request? If no, then access denied; otherwise, access granted.

The system needs both sides to agree that the access should be allowed.

However... in the example you cited, everything needed is learned while evaluating the user context, since the same account controls/owns the user and the bucket. Evaluating the bucket context is redundant, so it isn't done in that case.

"User context" is user account context, and "bucket context" is bucket account context.

Or, perhaps your question is actually more simple than this.

what happens in the case where an IAM user created the Bucket?

It doesn't matter who creates the bucket. The bucket is owned by the AWS account that created it, whether it is the root user or an IAM user from that account. Users never own buckets, and which specific user created a bucket has no further significance once the bucket has been created.

The AWS account that creates a resource owns that resource. For example, if you create an IAM user in your AWS account and grant the user permission to create a bucket, the user can create a bucket. But the user does not own the bucket; the AWS account to which the user belongs owns the bucket. The user will need additional permission from the resource owner to perform any other bucket operations.

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#create-bucket-intro